A friend of mine runs a 15-person agency. Last year he found out that a contractor who left 18 months ago still had access to every client deliverable, every internal strategy doc, and every financial report that had been shared via Google Drive links. Not because anyone intentionally kept them in the loop. But because nobody revoked anything and Google Drive links dont expire.
Turns out, when you share a Google Drive link with "anyone with the link can view," that link works forever. There is no built-in expiration. No automatic cleanup. No reminder that says "hey, this document is still accessible to 47 people including 12 who no longer work here."
And honestly? Most teams have hundreds of these links floating around.
The scope of the problem
Think about every Google Drive link you've shared in the last two years. Client proposals. Internal roadmaps. Hiring plans with salary details. Board decks. Financial models. Contracts.
Now think about how many of those links are still active right now. The answer, unless you've manually gone through and revoked access one by one, is all of them.
A Metomic study on Google Drive security found that the average company has over 10,000 files shared externally through Google Workspace. And only about 5% of companies have any process for auditing or revoking external sharing. Thats a lot of open doors.
This isnt a Google Drive hate piece. Drive is great for internal collaboration. But it was built for collaboration, not for controlled external sharing. Those are fundamentally different use cases and treating them the same way creates risk.
Former employees are the biggest blind spot
When someone leaves your company, you (hopefully) deactivate their email and revoke their login. But what about every Google Drive link they were shared on as a viewer? What about links they shared with external contacts from their personal email?
Most offboarding checklists dont include "audit every shared Drive link this person had access to." Because doing that manually would take hours. Maybe days for someone who was at the company for a few years.
According to Varonis's Global Data Risk Report, the average employee has access to 17 million files on day one. And when they leave, most of that access isnt cleaned up because it would be too time-consuming to do manually.
Now multiply this by every employee, contractor, freelancer, and intern who has cycled through your company. Thats your actual risk surface.
Contractors and freelancers make it worse
With full-time employees at least you have some offboarding process, even if it's incomplete. But contractors and freelancers? Most teams add them to shared folders during a project and then just... forget.
I've seen agencies where freelance designers from three years ago still have access to active client folders. Not because anyone wanted them to. Just because nobody remembered to remove them.
And the freelancer probably doesnt even know they still have access. They're not doing anything malicious. The link is just sitting in their email or bookmarks, still live, still accessible.
"Anyone with the link" is scarier than it sounds
Google Drive's sharing permissions have a setting that says "anyone with the link can view." It sounds relatively safe. After all, someone needs the link to access it.
But links get forwarded. They get pasted in Slack channels. They end up in email threads that get forwarded again. They get bookmarked on shared computers. They get indexed by search engines if they end up on a public webpage (this happens more than youd think).
A single "anyone with the link" share is effectively publishing that document to anyone who can find or receive the URL. Theres no authentication, no verification, no logging of who accessed it.
Google does offer "restricted" sharing where only specific email addresses can access a file. Thats more secure but also more friction, and most people default to "anyone with the link" because its easier.
What good access management looks like
Here's what would actually solve this problem:
Automatic expiration. Every shared link should have a default expiration date. Maybe 30 days, maybe 90 days. If someone still needs access they can request an extension. But the default should be "access expires" not "access is permanent."
Access auditing. You should be able to see, in one dashboard, every document thats shared externally, who has access, and when it was last accessed. If a link hasnt been accessed in 6 months, it should get flagged for review.
Offboarding integration. When someone leaves your organization, every shared link that includes their email should get automatically reviewed. Bonus points if links they created are also flagged.
Access logging. Not just "was this link accessed" but "who accessed it, when, from what device, and how long did they spend." This matters for compliance but also just for basic awareness.
Google Drive has some of these features for Google Workspace Enterprise customers, but not for smaller plans. And the implementation requires manual configuration that most admins never set up.
The compliance angle
If your company handles any regulated data (healthcare, financial, legal, educational), the "links never expire" problem isnt just a security nuisance. It can be a compliance violation.
GDPR requires that you be able to demonstrate control over personal data. If client data is accessible through links you shared two years ago to people who no longer need access, you're arguably not in compliance.
SOC 2 audits specifically look at access controls and whether access is revoked when no longer needed. "We shared it via Google Drive and forgot to revoke it" is not an answer that auditors like.
Even if you're not in a regulated industry, your clients might be. And if their data is in your Drive folders being accessed by unknown parties through old links, thats their compliance problem that you created.
What you can do right now
If youre reading this and feeling uncomfortable (i was when i first thought about it), here are some immediate steps:
Run a Google Workspace admin report on externally shared files. Sort by "last modified" and start with the oldest ones. Revoke access on anything thats stale.
Set a calendar reminder every quarter to audit external sharing. Yes, its manual. Yes, its annoying. But until you have a better tool its necessary.
Stop using "anyone with the link" as your default. Use restricted sharing with specific email addresses. Its more friction but significantly more secure.
Add a "revoke external access" step to your employee offboarding checklist. Even if you cant catch everything, catching some is better than catching none.
For truly sensitive documents, stop using Google Drive for external sharing entirely. Use a tool designed for controlled, time-limited, tracked external sharing.
The links you shared last year are still live. The question is whether thats a problem you want to fix now or a problem you want to discover the hard way later.
Top comments (0)