Security isn’t something you should risk playing with

08/11/2025

—

Many companies still treat security as something to fix after something happens.
You wait for the alert, respond to the ticket, run the audit, and hope it’s enough to prevent the next one.

But the truth is, a risk doesn’t announce itself.
It builds quietly: through people sharing files, permissions that were never revoked, and the tools that connect to your Google Workspace every single day.

By the time you notice something's wrong, the damage is already done.

We’ve seen it across hundreds of environments, with hundreds of clients. Once their teams have the visibility and take a deeper look, the more they realize how much has been left to chance.

True control means prevention, not reaction.

The problem with "fixing it later"

Here's what I see happening at companies everywhere. Someone leaves your team. But they can still download contracts and contact lists. A contractor finishes their project. But they can still have access to your Workspace. A third-party app gets connected to your Google Workspace. But nobody knows or even tracks what it can see.

These aren't dramatic security breaches with hackers breaking through firewalls. These are blind spots that can grow into serious problems.

And the numbers show it's getting worse.

In 2024, the global average cost of a data breach reached $4.88 million, a 10% increase from the year before. The financial sector saw even higher costs at $6.08 million per incident.

And the reality? A lot of these breaches didn't require sophisticated hacking. The way in was already open. 

• Someone who shouldn't have had access still had it. 

• An employee downloaded an app and used their credentials automatically without checking what permissions they were granting. 

• A former employee with an active license still could browse through company files. 

• A contractor who finished months ago.

The breach happened because nobody knew who could still get in, what they were accessing, and where they were accessing from.

What this looks like in real companies

Let me show you what this actually means across different industries.

Fintech: When one forgotten access becomes a compliance disaster

Financial companies handle regulated data every day. Customer information, transaction records, account details. All of it protected by strict regulations. So, for financial companies, a data breach isn't just embarrassing. It's critical.

One data breach can trigger chaos: regulatory fines that reach millions, audit failures that expose your compliance gaps, and on top of that, break the customer trust that took years to build. And for smaller fintech companies, it can mean the difference between growth and shutting down….The risks are real. In 2024, 46% of financial institutions reported having a data breach in the past 24 months. 

Let’s take the Block Inc. case, for example: a former employee retained access after termination and downloaded sensitive data for 8.2 million Cash App customers. Names, account numbers, portfolio details, and trading activity. All because offboarding processes failed.

One of our clients, Lili Banking, a financial services platform with over 200,000 customers, was concerned about protecting their data and improving control over their file sharing.

"We knew we had to protect our file repository. With Florbs, we finally gained control over Google Drive sharing risks that were hard to handle before,” says Liran Zelkha, CTO and co-founder of Lili.

And other financial organizations face similar risks. For example:

• Old vendor file shares still active. 

• Public links that should have been removed months ago are still visible. 

• Files containing sensitive financial data still accessible to people who no longer needed it.

And, as they scale and users grow, manually tracking every permission isn't realistic. But, once they get visibility into who has access to what, the hidden risks become clear. And fixable.

My take: a single unrevoked Drive access isn't a small mistake. It's a compliance violation, a regulatory risk, and a trust breach waiting to happen. A single unrevoked Drive access isn't a small mistake. It's a compliance violation waiting to be discovered.

Hospitality: Seasonal workers who never really leave

Hotels, restaurants, and hospitality businesses face a unique challenge. They hire seasonal staff. They work with external agencies. They bring people in for busy periods and let them go when things slow down. High turnover is built into the business model.

But here's what nobody talks about: Those workers often keep access to shared Drive folders long after their contracts end. Guest lists. Booking information. Payment details. Internal communications. And the stakes are high. In 2024, the average cost of a hospitality data breach reached $3.86 million. The industry recorded 95,040 vulnerabilities, with 14,318 classified as critical. With turnover rates hitting 90% in some regions, every transition is a chance for access to slip through the cracks.

CitizenM, operating 37 hotels across 20 cities worldwide, faced the same risk. With constant staff turnover across multiple countries and time zones, manually tracking who had access to what was nearly impossible. Onboarding took hours. Offboarding was inconsistent.

Once we helped them gain full visibility across every location, what took hours now took minutes through automated onboarding and offboarding.

My take: In the hospitality industry, when seasonal workers and agency staff keep editing rights on shared folders, you're not just risking customer data. You're creating a permanent vulnerability that grows with every person who moves through your business. So, high turnover isn't the problem. Not knowing who still has access is.

Healthcare: Patient data that should have been locked down months ago

Healthcare organizations handle some of the most sensitive data that exists. Patient records. Medical histories. Treatment plans. Insurance information. Test results. In Europe, GDPR demands data to be protected. In the USA, HIPAA requires it. Patient trust depends on it.

But protecting that data isn't just about preventing hackers. It's about controlling who and what has access to it and how. For example, in early 2024, Blue Shield of California (a health insurance company) discovered that for nearly three years, their use of Google Analytics inadvertently shared protected health information of 4.7 million members with Google's advertising platform. They weren't hacked. A third-party tool was simply misconfigured, and for years, patient data leaked through an unmonitored connection. Every app you connect expands your compliance surface. The risks multiply when your IT team is stretched thin trying to maintain compliance manually.

At Florbs, many of our clients are healthcare organizations with multiple facilities across the Netherlands, and they were facing this reality. With a growing force of employees and volunteers, manual workflows for email signatures, time-tracking, and administrative tasks kept pulling their IT teams away from patient care priorities. Some of them also needed to align to their compliance standards without hiring specialized consultants. Once workflows were automated through Florbs, IT resources were freed up and, their compliance is being maintained without constant manual oversight.

My take: When your IT team is buried in manual work, they can't focus on what matters. And when compliance depends on people remembering to do things right every time, something will likely slip through the cracks.

Software and tech companies: When legacy settings expose your entire Drive

Your team grew from 20 to 200 people. Your Drive settings didn't change with it. Because three years ago, making a folder accessible company-wide made sense. Everyone knew everyone. Now? Half your team shouldn't see half your files. 

If your company is working with Google Workspace and storing files in Google Drive, it’s very likely that a part of those files will contain sensitive information. Imagine the risk that poses when your company AND your files scale. Old permissions become new vulnerabilities.

That’s what Virtua Computers, a managed IT service provider in New York, one of our clients, saw firsthand with one of theirs. A legacy Drive setting made every file accessible to the entire organization. Standard Google tools didn't flag it because technically, nothing was shared "externally." But many employees had access to data they shouldn't have. Now, through automated security workflows, they can spot misconfigurations across their clients' entire Drive instantly and secure thousands of files within minutes.

My take: Growth changes everything except your old Drive/Workspace settings. What worked for 20 people becomes a liability at 200. You can't manually review permissions when you're scaling fast. Without full visibility and automated workflows to secure your environment, by the time you find the problem, it's already been exposed for months.

Your blind spots are your biggest risk

The truth is, if your organization is using Google Workspace, what you don't see can definitely hurt you. No matter what industry you're in. Take education, for example. It's the same pattern. Teachers share class folders with students. Research teams collaborate on documents. Those permissions stay active long after the term ends, after students graduate, after projects wrap up. 

Data shared indefinitely entails constant exposure risk and potential violations of industry standards. And just like that, I can provide hundreds of other examples. So, while Google provides some built-in security features, if you don't have full visibility and control over your Workspace, the blind spots you miss can create significant security gaps. 

Are you ready to run that risk?

At Florbs, we're the security shield for Google Workspace. We help hundreds of organizations like Lili, Citizen M, Virtua Computers, and many others to protect data at scale without slowing down collaboration. Through our intuitive platform, we give you complete control over your Google Workspace security from day one.

Want to know more about Florbs?

Would you like more information about what Florbs is all about? We’d be happy to share more.

👉 Contact us or Schedule a demo

And, stay tuned. This is just the first in a series of blogs that I am writing about security and your Google Workspace. The next one, titled 'You can't secure what you can't see', I make a deeper dive into the things that Google won't show you and why visibility is the foundation to have full control over your Google Workspace.