Google Workspace sharing controls: the quiet data leak

The tool you bought to share is very good at sharing

If you run a growing company on Google Workspace, your most likely data exposure right now isn't an attacker breaking in. It's a document, a folder, or a whole shared drive that someone opened up for a perfectly good reason and nobody ever closed again. That is the quiet leak, and it doesn't trip any alarms.

This is normal behavior, not negligence. Someone shares a deck with a contractor, adds an outside partner to a drive, connects a handy new app to their calendar. Each step makes sense on its own. Over months and years, those small, well-meant decisions pile up into a surface area no one is tracking, and a few of Google's defaults start out leaning toward open rather than closed.

The numbers say this is the common case, not the edge case. In the Cloud Security Alliance's State of SaaS Security 2025, 63% of organizations reported external data oversharing. And in Verizon's 2025 Data Breach Investigations Report, errors and misconfigurations accounted for more than a quarter of all incidents, while third-party involvement in breaches doubled year over year to 30%. That is the shape of the problem: ordinary mistakes and outside connections, not master hackers.

This post walks the Workspace settings that matter most, in plain language. For each one: what it does, what the default tends to be, where to check it, and the safer setting. If your team is on Microsoft 365 instead, the same idea applies to a different console, and we covered it in our Microsoft 365 hardening post.

Why these defaults lean toward sharing

It helps to assume good faith here, because the reasons are reasonable. A collaboration tool's whole job is to remove friction from sharing. If every share prompted a security review, nobody would use the product, so the defaults are tuned to make working together easy.

The catch is that the defaults are split and a little counterintuitive. Some settings ship locked down, others ship open, and they don't always match where you'd expect. We'll get to the most surprising example shortly.

And almost nobody revisits these settings after the initial setup. Someone configured Workspace when the company was a third of its current size, and the admin console hasn't been opened with fresh eyes since. The exposure isn't from a single bad choice. It's from never looking again.

Drive external sharing: the org-level switches

The first place to look is the org-wide control over whether files can leave your company at all. In the admin console, that lives under Apps, then Google Workspace, then Drive and Docs, then Sharing settings, then Sharing options. The choices range from off, to specific allowlisted domains, to anyone with the link, to public on the web.

We're going to be careful here about defaults. Google's documentation doesn't plainly state whether external sharing is on or off for a brand-new organization, so we won't claim a default we can't source. What's fair to say is this: the product ships ready to share, and in practice external sharing is very commonly left on, because turning it fully off would break legitimate work with customers and partners. So the realistic question for most teams is not "is it on" but "how far open is it, and who decided that."

Two more controls sit alongside it. Access Checker governs how wide a link your users can hand out, with three levels: recipients only, recipients or your whole org, or recipients, org, or the public. Domain allowlisting lets you permit sharing only with named partner domains instead of the entire internet, which is a strong middle ground. There's also a general access default for newly created files that you can set to private to the owner.

My Drive vs. shared drives: the default that surprises people

Here is the single most important thing to understand about Workspace sharing, and almost no one gets it right by intuition.

For files in someone's My Drive, the general access default is Restricted, private to the owner. Google describes it as the recommended setting so people can share a file only when they're ready and keep personal files private. That's the safe behavior most people assume applies everywhere.

It does not. For shared drives, all sharing settings start set to allow by default, including external sharing. A new shared drive begins life open, and an admin has to actively restrict it. The two defaults are opposite.

That split is the trap. Teams create a shared drive precisely because the work is shared and important, assume it inherits the safe, private behavior they see on their own files, and unknowingly stand up a space where external sharing is allowed from the moment it exists. Every file dropped in afterward lives under that permissive starting point until someone changes it.

Shared drive sprawl and the 2025 permission changes

Once you know shared drives start open, two follow-on questions matter: who can create them, and who's still a member of them.

You can control whether ordinary users can create shared drives at all, under the same Drive and Docs sharing settings. Left fully open, shared drives multiply faster than anyone can govern them, and membership drifts. Contractors finish a project and stay on the drive. People change roles and keep access they no longer use. The drive outlives the reason it was created, and so does everyone's access to it.

Google also changed how Drive permissions work in two waves during 2025, and the changes are worth understanding in plain terms. In February 2025, Google began moving toward folder-level "limited access" as the standard way to restrict who can see what. In September 2025, Google stopped allowing narrower access to be set on an individual file or folder sitting inside a shared folder. Permissions now cascade top-down: a file inherits the access of the folder above it, and you can no longer lock down one item more tightly than its parent.

In practice, that means a structure you set up long ago may behave differently now than the day you built it. If you carefully restricted one sensitive file inside an otherwise open folder, that careful exception may no longer hold the way it used to. This is a good reason to re-check folder structures you haven't touched in a year or more.

The apps you forgot you connected

Every time someone clicks "Sign in with Google" to try a new SaaS tool, they may be granting that tool standing access to their Drive, Gmail, or Calendar. And by default, Workspace allows it: the API controls ship set to allow users to access any third-party apps. No admin involvement required.

The problem isn't the apps people use today. It's the long tail of apps anyone ever connected and forgot. Each one keeps its access until someone explicitly revokes it. A tool a former employee tried once two years ago can still hold a token into your data. It's the same pattern as shadow AI: people authorize something useful without anyone gaining visibility into what it can now reach.

Google added scope-level controls in December 2024 that let you limit an app to specific access, say Calendar only, instead of all-or-nothing. They're available to every Workspace customer. But they do nothing until an admin turns them on.

Google Groups: the mailing list that's public

Google Groups is easy to forget, and that makes it a quiet exposure path. A group set to allow external members, or to make its posts and membership publicly visible, can do two things you almost certainly don't want: let outsiders read internal email threads, and let outsiders join the conversation.

It happens innocently. A group gets created for a project, set wide open so nobody is blocked from posting, and then becomes the channel for sensitive internal discussion. The visibility setting that was convenient at the start is now a window into your operations.

The check is quick. In the admin console under Groups, review your groups for external membership and for public posting or visibility settings, and tighten any group that's carrying internal conversation but standing open to outsiders.

Gmail: auto-forwarding and the silent outbound rule

Gmail's automatic forwarding is on for users by default. That means any user can set a rule that quietly routes a copy of their mail to an outside address, and most companies have never touched the setting.

In the wrong hands, that's a serious leak. A compromised account can be configured to forward everything to an attacker's inbox, which keeps feeding them mail long after a password reset. A departing employee can do the same to walk out with the contents of their mailbox. Forwarding rules are one of the first things an attacker sets up in a business email compromise, precisely because they're silent and they persist.

One admin checkbox closes this. Under Apps, Google Workspace, Gmail, End User Access, you can turn off automatic forwarding, and when it's off the option simply disappears from users' Gmail settings. Worth knowing too: Gmail's warnings for external recipients are on by default, so the nudge that catches mail headed to an outside address is already working in your favor.

The check: decide whether your team has any real need for user-controlled auto-forwarding, and if not, turn it off at the org level, then review existing mailboxes for forwarding rules nobody remembers creating.

Finding what's already over-shared

Tightening defaults is only half the job. You also need to see what's already exposed, and what you can see depends honestly on the plan you're paying for.

On Business Standard and Business Plus, your main tool is the basic audit and investigation view. Under Reporting, Audit and investigation, Drive log events, you can filter by visibility and look specifically for files marked "shared externally" or "public on the web." That's a real, usable way to find your most exposed files. You also get Security Advisor, launched in September 2024 for Business editions, which gives guided recommendations right in the admin console.

The deeper tooling sits behind Enterprise tiers, and the exact tier matters. The security investigation tool and the security health page that reviews all your security settings in one view both start at Enterprise Standard. The file exposure report that shows sharing patterns and top recipient domains over time goes one step further and requires Enterprise Plus. None of the three are available on Business Standard or Business Plus.

Our honest opinion, plainly: for a growing company, being able to actually see and investigate your exposure is not a luxury. The basic log filtering is a fine start, but when the question is "what left the building, to whom, and when," guessing is not good enough. We generally recommend Enterprise Standard for companies at this size precisely so you can investigate exposure instead of inferring it. We're not saying buy the most expensive plan reflexively. We're saying contextual awareness of your own data is worth paying for, and the tier gate is the place that decision gets made.

Turning it on is step one, not the finish line

Tightening these settings closes the easy doors, and that's most of the immediate value. But a setting doesn't watch itself.

Every control above produces signals: a file that just went public, an app that just got authorized, a forwarding rule that just appeared. Those signals only help if someone is watching them and acting when one fires. When an externally shared file shows up in the log at 2am, the log can record it, but it can't pull the share back or ask whether that was supposed to happen. That's the line between configuration and response, and it's where a lot of well-configured companies quietly get stuck.

Getting the configuration right is exactly what our Collaboration Security work covers: walking your Workspace setup and closing the doors that should be closed. Watching it afterward, and acting when something fires, is what Managed Detection and Response adds. The settings keep the easy exposure out. The watching is what catches the share that shouldn't have happened.