Short answer: client files are exposed when the wrong people can access them, even if they are not visible to the public internet.
What this helps you check
Use this as a practical starting point for a calmer internal review.
- SharePoint and Teams permissions
- Guest users, sharing links, and archived matters
- What AI-connected tools may be able to surface
For many New Zealand professional services firms, client information lives across Microsoft 365: SharePoint, Teams, OneDrive, Outlook, and shared folders. That is normal. It also means access decisions can spread quietly over time.
A folder shared for one matter may stay open. A guest user may remain active after a project ends. A Teams site may include more people than intended. A link may still work months after it was needed.
What does exposed actually mean?
Exposed does not always mean "published online". It can mean:
- Too many staff can see sensitive client folders.
- External guests still have access after their work is complete.
- Anyone with an old link can open a document.
- Former contractors remain in Teams or SharePoint groups.
- Client documents are stored in personal OneDrive locations rather than controlled workspaces.
- Permissions are inherited from a parent folder nobody has reviewed.
In a professional services setting, this is not just untidy administration. It can affect confidentiality, privacy obligations, and client confidence.
Where should a file exposure review start?
Start with the places where client work happens every day. A practical review should check:
- SharePoint sites holding client or matter files.
- Teams channels used for client work.
- External sharing settings and active links.
- Guest users and their last activity.
- OneDrive files shared externally.
- Administrator and owner accounts.
- Sensitive folders that should have restricted access.
The goal is to identify what is open, why it is open, and whether it still needs to be.
Why old permissions become risky
Permissions are rarely wrong on day one. They usually become risky because the firm changes. Staff move roles. Matters close. Contractors finish. Clients change. Teams are copied. Folders are reused.
Without a review rhythm, access accumulates. That makes it harder to explain who can see what, and harder to respond quickly if something goes wrong.
How does AI change the file exposure conversation?
AI tools connected to workplace systems may surface information based on existing permissions. If a staff member already has access to a file, an AI assistant may be able to help them find or summarise it.
That can be useful when permissions are clean. It can be uncomfortable when they are not.
Before introducing wider AI use, firms should review Microsoft 365 access settings, especially for confidential client work, finance material, employment matters, merger or transaction files, and internal management documents.
What should a good access review produce?
A useful review should not end with a technical export nobody reads. It should produce clear decisions:
- Which external guests should be removed.
- Which sharing links should be disabled.
- Which folders need restricted permissions.
- Which Teams or SharePoint sites need owners.
- Which staff need guidance on where to store client files.
- How often the firm will repeat the review.
For professional services firms, file access should be simple enough to explain to a client if needed.
FAQs
How can a firm tell if client files are exposed?
A firm should review Microsoft 365 permissions, SharePoint and Teams membership, external sharing links, guest users, OneDrive sharing, and access to sensitive client folders.
Does exposed mean public on the internet?
Not always. Exposed can mean files are visible to too many internal staff, former guest users, external collaborators, or anyone with an old sharing link.
Why does AI make file exposure more important?
AI tools connected to workplace systems may surface information based on existing access. If permissions are too broad, AI can make those issues easier to notice and harder to ignore.
Sources: Microsoft, National Cyber Security Centre, and EQIQ local brand materials.
Book a Conversation
