Convenience vs control: SMEs need to rethink how sensitive data is shared

Neal O’FarrellNeal O’Farrell

DropVault CEO Neal O’Farrell explains why SMEs need to rethink how they share sensitive information in an era of AI-driven attacks, growing regulatory pressure and rising concern over who really controls business data.

Artificial intelligence (AI) is making cybercrime faster, cheaper and far more convincing. Phishing emails can now be written in perfect tone, impersonation attempts are harder to spot, and fraudsters can manufacture urgency at scale.

Yet for all the noise around new threats, the old truth still holds: most breaches still begin with email. One click on a fake invoice, one reply to a spoofed supplier, or one forwarded attachment to the wrong person can open the door to attackers.

“With geopolitical tensions rising and regulators paying closer attention to data custody, SMEs need to think beyond storage and start thinking seriously about visibility, control and risk”

At the same time, businesses are holding increasingly sensitive conversations on tools built for convenience rather than high-risk collaboration. Contracts, board discussions, HR issues, payment details and commercial negotiations are often shared through email, cloud folders and consumer chat apps with little thought about exposure.

That matters because encryption at rest – securing and encrypting files and documents to ensure that only those with the keys can access them – is not the same thing as real control. If an email or app provider holds one of the keys, they remain part of the trust chain. That raises difficult questions around sovereignty, jurisdiction, court orders and who truly owns access.

With geopolitical tensions rising and regulators paying closer attention to data custody, small-and-medium-sized enterprises (SMEs) need to think beyond storage and start thinking seriously about visibility, control and risk.

Why do we need to rethink how sensitive information is shared today?

Two men stand smiling on a sandy beach with calm waves behind them and a large coastal hill in the background, both wearing jackets in bright daylight.

Pictured in Bray, Co. Wicklow, are Paul Phelan, CEO, Data Edge and Neal O’Farrell, CEO, DropVault. Data Edge is a DropVault partner in Ireland

Because the threat has changed, but our habits have not.

Most SMEs still share important information in familiar ways: email, cloud links, messaging apps, forwarded threads and shared folders. It feels normal because it is normal. But normal is doing a lot of dangerous work here. AI has changed the speed and quality of cyberattacks. Criminals can now write better phishing emails, imitate tone more convincingly, and launch highly personalised fraud attempts with very little effort.

The risk is not only that an outsider breaks in – it is also that businesses are often too casual with sensitive information, both internally and externally. A payroll file is emailed around. A legal draft sits in an inbox. A commercial negotiation ends up in an informal messaging thread. A shared folder quietly expands over time until half the company can access material that only two people ever needed to see.

That is why this is no longer just a technical problem. It is a business behaviour problem. And that is exactly why planning matters so much. Around 20 years ago, I served on the Federal Communications Commission Cybersecurity Roundtable, where a main focus was creating one of the first cybersecurity plan templates for SMEs. Two decades later, that lesson still stands: the most important first step is creating a proper security plan.

Why? Because devising a plan forces a business to stop running on autopilot. It makes leaders ask basic but powerful questions, such as: What are our most sensitive conversations? Where do they happen? Who really needs access? What would the damage be if that information was exposed, misused or legally compelled?

Isn’t cloud encryption at rest enough?

It is necessary but, alone, it is not enough.

Encryption at rest means data is encrypted while stored on a server or in a cloud platform. That is good practice. It absolutely should be there. But many businesses hear the word “encrypted” and assume the problem is solved. It is not.

The real question is who controls the keys.

If the service provider controls the encryption keys, then the provider still sits inside the trust model. In practical terms, that means access may still be possible through that provider under certain legal, regulatory or operational conditions. That could include court orders, disclosure obligations or laws tied to the jurisdiction in which the provider operates. Of course, it also means that providers act as another avenue of attack for cybercriminals.

This is where the conversation becomes more serious for SMEs. It is not just about cybersecurity; it is about sovereignty and control. Which country’s rules apply? Who can compel access? If your most sensitive information sits in the cloud, but someone else controls the keys, how much control do you really have?

A simple analogy helps: putting valuables in a secure locker is sensible, but if someone else holds the master key, you do not have exclusive custody. You have protection, but not complete control.

For SMEs dealing with contracts, acquisitions, payroll, legal advice, customer records or intellectual property, that distinction matters. Regulators, insurers, clients and supply-chain partners are asking harder questions about where data sits, who can access it and what happens under legal pressure. Encryption at rest is a good baseline. It is not the finish line. Taking an approach such as Zero Trust access, which we will explore shortly, is a valuable extra layer of protection for your sensitive data.

Why not just use WhatsApp, iMessage or chat apps?

Because convenience is not governance.

Consumer messaging apps are brilliant for speed and ease. That is exactly why people use them. But they were not designed to manage high-risk business collaboration, long-term accountability or formal control over sensitive company information.

The problem is not that these tools are useless. The problem is that they encourage informal behaviour around serious material. A document gets screenshotted. A contract is downloaded to a personal phone. A voice note contains confidential detail. A private message is forwarded into another group. None of that feels dramatic in the moment. But this is how risk slips in through the side door.

There is also the management issue. When an employee leaves, can the company cleanly remove access? Can it prove what was shared and with whom? Can it separate company data from personal conversations? Can it apply retention rules or audit trails? In many cases, not properly.

For SMEs, that matters more than it used to. Sensitive communication needs to be not only secure, but manageable. A business should know where critical conversations happen and how access is controlled. Consumer chat apps may be fine for quick coordination, but they are often the wrong home for board matters, legal issues, pricing discussions, HR cases or anything commercially delicate.

It is the digital equivalent of discussing payroll in a busy café. Fast, familiar and deeply unwise.

What does Zero-Trust or Zero-Visibility architecture mean in practice for SMEs?

It means exposing less and assuming less.

Zero Trust sounds technical, but the core idea is simple: do not automatically trust a user, device or platform regardless of position within the organisation or whether they are already inside your environment. Verify first. Limit access. Reduce assumptions.

Zero Visibility takes that further by aiming to ensure that as few parties as possible — ideally not even the platform provider — can access sensitive content. For SMEs, this is less about buzzwords and more about common sense. The goal is to make sure that confidential information is only visible to the people who genuinely need it, for the time they need it, and no longer.

In practical terms, that could mean segmenting access to sensitive documents, using separate channels for high-risk communications, limiting downloads and forwarding, and choosing services where the business has stronger control over access and keys.

This is not about turning a small business into a fortress. It is about using proportionate discipline. You would not leave signed contracts or payroll records on the reception desk simply because the office front door has a lock. Digital security should work the same way.

For SMEs, Zero Trust and Zero Visibility are really about reducing blast radius. If something goes wrong — a compromised account, a phishing attack, a bad actor or a legal request — the amount exposed should be as small as possible.

What practical steps should SMEs take now?

Start with a plan, not a product.

That may sound almost too simple, but it is still the right first move. My experience on the FCC Cybersecurity Roundtable is relevant here because the principle has not changed in 20 years: when SMEs create a security plan, they are forced to think clearly about their risks, behaviours and blind spots. That process itself is invaluable.

The next step is to identify your most sensitive information. Not all data is equal. Contracts, payroll, customer records, legal advice, strategic discussions and HR matters require more protection than routine admin.

Then, map where that information is actually being shared today. Email? Shared drives? Personal devices? Consumer chat apps? Third-party cloud tools? Many businesses are surprised when they trace the real path of sensitive information.

After that, decide which conversations need a more controlled method of sharing. Review who has access, who controls the keys, and how quickly access can be removed when roles change or staff leave. Finally, train people in plain English using real-world examples, especially around phishing, impersonation and suspicious requests.

One practical idea is to give SMEs a simple security planning template or even a one-page outline they can use as a starting point. That would make a strong giveaway or lead-generation asset because it turns security from an abstract worry into something practical and manageable.

Most SMEs do not need a 200-page cyber manual. They need a sensible structure, a few clear decisions and the know-how to avoid treating sensitive information like everyday chatter.

Top image: Photo by FlyD on Unsplash

  • Bank of Ireland is welcoming new customers every day – funding investments, working capital and expansions across multiple sectors. To learn more, click here

  • For support in challenging times, click here

  • Listen to the ThinkBusiness Podcast for business insights and inspiration. Latest episodes are here. You can also listen to the Podcast on:

  • Spotify

  • SoundCloud

  • Apple

Previous Post
Next article
Neal O’Farrell
Neal O’Farrell
Neal O’Farrell is a pioneering cybersecurity expert with over 40 years of experience. His career began in the 1980s developing advanced encryption systems for governments, the military, and financial institutions, including encrypting Ireland’s national ATM network while still in his twenties. He later created secure telephone scramblers, contributed to Nokia’s first mobile‑phone security features, and helped build Britain’s first voice‑based banking access‑control system. O’Farrell also led the Intrepid project, producing Milcode—one of the most secure telephones of its time—and developed the first fully encrypting fax machine, Faxcode.

Recommended