20 May 2026
I wanted to talk about this because it is incredibly common. In practice, good information security often starts with something much simpler than firewalls or cyber tools. It is knowing what information you actually have, where it lives and who can access it. If you do not know you have it, you cannot secure it.
We recently completed a security assessment for a small law firm with a couple of offices. The interesting part was not discovering some catastrophic security failure. The interesting part was how normal everything looked.
Privacy breaches caused by good intentions
Like many firms, staff gradually built practical ways to get work done quickly. Documents moved through SharePoint, Dropbox and email depending on who needed them fastest. Teams created “temporary” folders that quietly became permanent. People kept personal copies of important documents because they no longer trusted the shared structure completely. The problem with this is that the critical information now resides in multiple places, with little oversight or control.
At one point we found a folder path that went something like:
“Shared Matters → Current → Active → New → Use This One → Final → Final 2 → Final Real”
We have all seen that, right? Most offices have some variation of it.
We also found several shared SharePoint areas where nobody felt entirely certain who still had access. Nobody ignored security deliberately. Instead, access changed gradually over time. Somebody helped on a matter for two weeks, changed teams six months later and quietly kept access forever because removing permissions never felt urgent.
Boundary security is the easy bit
Organisations usually lose visibility over information long before they lose control of security. Staff enter and leave using swipe cards and log into networks using proper authentication. But inside those systems, teams no longer know where the authoritative version of anything lives. Important documents sit inside forgotten folders. Teams become uncertain whether information still exists, whether somebody deleted it or whether somebody copied it somewhere else years ago.
So the big problems rarely start with hackers. They start with ordinary people making sensible shortcuts to get the job done. Then shortcuts layer on top of each other until critical information starts getting lost.
The bigger challenge is not securing the information if that simply means throwing a cordon around all of it. The bigger challenge is knowing what information exists, where it lives and who can access it. You cannot secure information you do not know you have.
Global Law Firm Attributes Data Breach to Compromise at File Sharing Provider
