secure-file-sharing guide hero image

Help Guide for Secure File Sharing with Clients

7 min read

A practical guide to sharing files securely with clients. Covers link expiry, access controls, watermarking, and why personal email attachments should be banned for business documents.

Written by CTC Editorial Editorial Team

Why Email Attachments Are Problematic

You've probably sent countless files as email attachments. It works. But for business documents, it creates risks:

- **No control after sending**: Once sent, you can't revoke access or see who forwarded it

- **No audit trail**: You don't know if the client opened it, downloaded it, or forwarded it to 50 people

- **Size limits**: Large files bounce or get rejected

- **Version chaos**: Client saves attachment, you update the file, now there are two versions

- **Security**: Email isn't encrypted end-to-end by default; attachments sit in multiple mailboxes

For casual documents, this doesn't matter. For contracts, financial information, or confidential data, it should concern you.

The "No Personal Email" Rule

Before discussing file sharing tools, establish this policy:

> **Business documents should never be sent to or from personal email addresses.**

This means:

- Don't email client files to your personal Gmail to work on at home

- Don't accept documents from clients' personal Hotmail addresses for important matters

- Don't let staff email business files to themselves

**Why?** Personal email accounts:

- Have weaker security (often no MFA)

- Aren't covered by your backup

- Aren't covered by your data policies

- Can be compromised without your knowledge

- Create liability if data is breached

Secure Sharing Options

Cloud Storage Links (OneDrive, Google Drive, Dropbox)

The simplest approach: upload files to cloud storage and share links.

**OneDrive (Microsoft 365)**:

- Right-click file → Share → Copy link

- Set permissions: View only vs Edit

- Set expiry date

- Password protect (optional)

- Block download (view only in browser)

**Google Drive**:

- Right-click file → Share → Get link

- Set permissions: Viewer, Commenter, Editor

- Expiry: Requires Google Workspace (not free Gmail)

- Password: Not built-in, use third-party or manual process

**Dropbox Business**:

- Right-click file → Share → Create link

- Set expiry date

- Password protect

- Disable downloads

- Track views

Dedicated Secure File Sharing

For more control, dedicated platforms offer additional features:

**Tresorit** - From £10/user/month

- End-to-end encryption

- Detailed access logging

- Watermarking

- Remote wipe of shared files

- Strong GDPR compliance tools

- Swiss-based (strong privacy laws)

**Citrix ShareFile** - From £10/user/month

- Good for professional services (legal, accounting)

- Client portal features

- eSignature integration

- Detailed audit trails

- Encryption at rest and in transit

**Box** - From £10/user/month

- Enterprise-grade security

- Governance and compliance features

- Watermarking and rights management

- Integrates with many business tools

**Sync.com** - From £5/user/month

- Zero-knowledge encryption

- Canadian-based

- Good privacy focus

- Simpler than enterprise options

Client Portals

For ongoing client relationships, consider a dedicated portal:

**Benefits**:

- Clients log in to access their documents

- Full audit trail of access

- Two-way file upload

- Branding with your company

- No reliance on email delivery

**Options**:

- ShareFile Client Portal

- Suitedash (all-in-one client management)

- Clinked (client collaboration)

- Huddle (project-focused)

- Many CRM systems include this

Essential Security Features

1. Link Expiry

Links should expire. An "anyone with the link" URL that lives forever is a security risk.

**Recommendations**:

- Client delivery: 7-14 days

- Project collaboration: Duration of project + 30 days

- Sensitive documents: 48-72 hours (send notification to download promptly)

2. View-Only vs Download

Sometimes you want clients to see a document but not keep a permanent copy:

**View-only use cases**:

- Draft documents pending approval

- Sensitive information for reference only

- Proposals you might update

**Download allowed**:

- Final deliverables

- Documents client needs to keep

- Contracts (though consider eSignature tools)

3. Password Protection

Add a layer of security for sensitive documents:

**Best practice**: Send the password via a different channel than the link.

- Link via email → Password via text message

- Or verbal communication of password

4. Watermarking

Watermarks identify documents if they're leaked:

**Static watermarks**:

- "CONFIDENTIAL" or "DRAFT" overlays

- Your company logo

- Document ID

**Dynamic watermarks**:

- Viewer's email address

- Date/time of viewing

- Unique per-viewer identifiers

Services like Tresorit and ShareFile offer dynamic watermarking—if a document leaks, you know who shared it.

5. Audit Trails

Know who accessed what and when:

**Track**:

- Who opened the link

- When they accessed it

- Whether they downloaded

- IP address / location (for suspicious access)

This isn't paranoia—it's due diligence, especially for regulated industries.

Receiving Files Securely

Clients need to send you files too. Options:

Secure Upload Links

Most file sharing services offer "request files" or upload links:

- **OneDrive**: Create a "File request" folder

- **Dropbox**: "File requests" feature

- **ShareFile**: Upload portal

Clients don't need an account—they just upload to your secure storage.

Avoiding Insecure Alternatives

If you don't provide a secure option, clients will:

- Email attachments (risky for large/sensitive files)

- Use WeTransfer (free version has limited security)

- Use personal cloud storage (no control)

Provide a good option and they'll use it.

Practical Workflows

Sending a Contract for Review

1. Upload contract to OneDrive/Dropbox/ShareFile

2. Create sharing link:

- View-only (if you don't want edits)

- Expiry: 14 days

- Password: Yes (share separately)

3. Email link with clear instructions

4. Send password via text or separate email

5. Monitor access via audit trail

6. Follow up if not accessed within reasonable time

Delivering Project Files

1. Organise files in a clearly labelled folder

2. Create sharing link:

- Download enabled (final deliverables)

- Expiry: 30 days (give client time to download)

3. Email link with contents summary

4. Archive your copy appropriately

5. After expiry, client should have their own copies

Receiving Sensitive Documents

1. Create a file request/upload link

2. Send to client with clear instructions

3. Files arrive in your secure storage

4. Acknowledge receipt

5. Process according to your data handling policy

6. Delete after appropriate retention period

Setting Up Your File Sharing Policy

Document your approach:

> **[Company Name] File Sharing Policy**

>

> **External Sharing**:

> - Client files shared via [OneDrive/Dropbox/ShareFile]

> - No email attachments for sensitive documents

> - Links expire after maximum [14] days

> - Sensitive documents require password (sent separately)

>

> **Personal Email**:

> - Business documents must not be sent to/from personal email accounts

> - This applies to both staff and clients for sensitive matters

>

> **Receiving Files**:

> - Clients upload via [secure upload link]

> - Large files via [method]

>

> **Audit**:

> - File access is logged for [period]

> - Logs reviewed if security concerns arise

>

> **Exceptions**:

> - Routine correspondence may use email attachments

> - [Manager] can authorise exceptions

Authority Resources

- **ICO Data Sharing Code**: [ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/data-sharing-code](https://ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/data-sharing-code/) - UK data protection guidance on sharing

- **NCSC Cloud Security Guidance**: [ncsc.gov.uk/collection/cloud-security](https://www.ncsc.gov.uk/collection/cloud-security) - Security principles for cloud services

- **GDPR and File Sharing**: [ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security](https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/) - GDPR security requirements

Comparison: File Sharing Security Features

| Feature | OneDrive | Google Drive | Dropbox Business | ShareFile | Tresorit |

|---------|----------|--------------|------------------|-----------|----------|

| Link expiry | ✓ | ✓ (Workspace) | ✓ | ✓ | ✓ |

| Password protection | ✓ | ✗ | ✓ | ✓ | ✓ |

| View-only/Block download | ✓ | ✓ | ✓ | ✓ | ✓ |

| Watermarking | ✗ | ✗ | ✗ | ✓ | ✓ |

| Access tracking | Basic | Basic | ✓ | ✓ | ✓ |

| End-to-end encryption | ✗ | ✗ | ✗ | ✗ | ✓ |

| File request/upload | ✓ | ✗ | ✓ | ✓ | ✓ |

| Client portal | ✗ | ✗ | ✗ | ✓ | ✗ |

| Price (approx/user/mo) | £4.90+ | £4.60+ | £10 | £10 | £10 |

Your File Sharing Checklist

**Setup**

- [ ] Chosen primary file sharing platform

- [ ] Configured default security settings (expiry, etc.)

- [ ] Created file request/upload link for receiving files

- [ ] Documented file sharing policy

- [ ] Communicated policy to staff

**For Each Sensitive Share**

- [ ] Uploaded to secure platform (not email attachment)

- [ ] Set appropriate permissions (view/download)

- [ ] Set expiry date

- [ ] Added password if warranted

- [ ] Sent password via separate channel

- [ ] Noted share in appropriate records

**Ongoing**

- [ ] Review access logs periodically

- [ ] Clean up expired/unused shares

- [ ] Update policy annually

Getting Started This Week

**Day 1**: Audit current sharing practices—how are files going to clients now?

**Day 2**: Review security features of your current cloud storage

**Day 3**: Configure default sharing settings (expiry, permissions)

**Day 4**: Set up file request/upload link for receiving files

**Day 5**: Draft and communicate file sharing policy

Secure file sharing isn't about paranoia—it's about professionalism. Clients trust you with their information; handle it accordingly. The tools are available and affordable; the only barrier is implementing them consistently.

Frequently Asked Questions

Can't I just password-protect a Word document and email it?

Document passwords provide some protection but have weaknesses: they can be cracked, you can't revoke access, there's no audit trail, and the password might be shared along with the file. It's better than nothing for low-sensitivity documents but not adequate for confidential information.

What if clients insist on email attachments?

Explain your security policy briefly: 'We use secure file sharing to protect your information.' Most clients appreciate the professionalism. For genuinely low-sensitivity documents, email may be fine. For anything confidential, stick to your policy.

Is Dropbox/OneDrive secure enough for sensitive documents?

Business versions (not free personal accounts) are generally adequate for most business documents. They encrypt data in transit and at rest, offer access controls, and meet common compliance standards. For highly sensitive data (medical, legal, financial), consider dedicated secure file sharing like Tresorit or ShareFile.

How do I handle large files clients need to send me?

Create a 'file request' or upload link using your cloud storage (OneDrive, Dropbox) or dedicated service. Send this to the client. They upload directly to your secure storage without needing an account. This is better than clients using WeTransfer or similar consumer services.

What about end-to-end encryption?

Most business cloud storage (OneDrive, Dropbox, Google Drive) encrypts data but holds the keys—they could theoretically access your files. True end-to-end encryption (Tresorit, Sync.com) means only you hold the keys. For most businesses, standard business cloud storage is sufficient. For highest sensitivity, consider zero-knowledge options.

About the Author

CTC Editorial

Editorial Team

The Compare the Cloud editorial team brings you expert analysis and insights on cloud computing, digital transformation, and emerging technologies.

Back to All Articles