Network File Sharing Security Guide for Non-IT Small Businesses

Who This Guide Is For

This guide is written for small business owners, office managers, and anyone responsible for file sharing in an office without dedicated IT support. It covers the security considerations that are relevant and actionable for an office of 2–20 people on a standard Windows or mixed Windows/Mac network.

It does not cover enterprise security architecture. It covers what you actually need.

There are two threat categories for a small office file share:

Internal threats: Employees accessing files they should not see (HR records, financial data, confidential client files).

External threats: Someone outside your office accessing your files — either remotely over the internet, or physically by connecting a device to your network.

Most small office security configurations focus on external threats; internal access control requires more deliberate configuration but is equally important for sensitive files.

Securing the Network Perimeter

Rule 1 — Your file shares should not be accessible from the internet.

This should be true by default. Your office router performs NAT (Network Address Translation), which means devices on the internet cannot reach your internal machines unless you have explicitly set up port forwarding. Confirm:

No port forwarding rules on your router for ports 445 (SMB), 139 (NetBIOS), or 80/443 (web servers) unless you have specifically and deliberately set them up
Your router admin panel is password-protected and uses a non-default password
Remote management of the router is disabled (check router settings — look for "Remote Management" or "WAN access")

Rule 2 — Your WiFi network is properly secured.

Anyone connected to your WiFi can potentially see and access your shared folders.

WiFi uses WPA2 or WPA3 (not WEP, not open/unsecured)
WiFi password is strong (12+ characters, not the router default)
Guest WiFi is a separate network that cannot reach the internal LAN (most modern routers support this — look for "Guest Network" settings)
You know which devices are connected to your network (router admin panel → connected devices list)

Controlling Who Can Access Shared Files

For Windows shared folders:

Password-protected sharing is enabled (Settings → Network → Advanced Sharing Settings → All Networks → Password protected sharing: On)
Each staff member who needs access has their own Windows local account on the host machine — do not use a single shared account for everyone
Share permissions are set to allow only the accounts that need access:
- Right-click shared folder → Properties → Sharing → Advanced Sharing → Permissions → remove "Everyone" → add specific user accounts
NTFS permissions are also set appropriately (separate from share permissions — both apply)
Sensitive folders (HR, finance, contracts) are on a separate share with restricted permissions, not accessible by default to all staff

For NAS devices:

Each staff member has their own NAS user account
Access Control Lists (ACLs) restrict which accounts can see which folders
NAS admin credentials are changed from factory defaults
NAS web interface and remote access ports are not forwarded through the router
NAS access log is enabled (most Synology/QNAP units support this under Security → Log or similar)

Keeping Files Safe From Accidental Loss

Security means more than keeping bad actors out — it also means protecting against accidental deletion and hardware failure.

The host machine or NAS is backed up regularly:
- Local backup: external drive connected to the host, automated with Windows Backup (Settings → Windows Backup) or NAS replication
- Offsite backup: an encrypted cloud backup service (Backblaze B2, Wasabi, or similar) for disaster recovery
Backup is tested: at least once a quarter, restore a file from the backup to confirm it works
File versioning is enabled where available (Windows File History, NAS snapshot, or cloud backup version history)

Encryption Considerations

Data in transit: SMB3 (used between modern Windows machines) encrypts data in transit by default in some configurations. LAN transfer tools like Oxolan and LocalSend use encryption in transit. For maximum assurance on an office network, encryption is a reasonable consideration — though on a properly secured private network, the practical risk of unencrypted LAN traffic is low.

Data at rest: Encrypting the drives on which sensitive files are stored protects against physical theft (a stolen machine or a stolen hard drive). Windows BitLocker (available on Pro/Enterprise) encrypts the entire drive. Mac's FileVault provides equivalent protection.

BitLocker or FileVault is enabled on machines storing sensitive data
Recovery keys are stored securely (not on the encrypted machine itself)

Application-level LAN transfer tools (Oxolan, LocalSend) take a different approach to security than Windows SMB:

Discovery is handled by the application — not by exposing Windows shares to the network
Authentication is at the application level — no Windows credential management required
Files are transferred directly between two machines that have mutually consented to the connection, not broadcast to anyone who can browse the Network folder

For non-technical offices where configuring Windows share permissions correctly is impractical, an application-level tool provides a simpler, less fragile security model.

Get Oxolan for Windows

Mac-Specific Notes

Mac file sharing (System Settings → General → Sharing → File Sharing) uses the same security considerations as Windows SMB: control which users can access which folders, use individual accounts per person, do not expose shares to the internet.

FileVault (Mac's equivalent to BitLocker) should be enabled on any Mac storing sensitive client files: System Settings → Privacy and Security → FileVault → Turn On.

A Simple Security Audit — Monthly Checklist

Run through these monthly:

Router firmware is up to date (check router admin panel for update option)
Windows is up to date on all machines (deferred updates not blocked for more than 4 weeks)
List of connected WiFi devices reviewed — no unexpected devices
Backup completed and recent restore tested within the last 90 days
Any staff departure triggers: account removed from host machine, share permissions updated, WiFi password changed

Frequently Asked Questions

Is local file sharing more secure than cloud storage? Not automatically. A local share with weak passwords and no access control is less secure than a properly configured cloud account. Security depends on implementation. Local sharing eliminates third-party access risks but requires you to manage perimeter and access security yourself.

Do we need a VPN for our office file sharing? A VPN is relevant for remote access (connecting to your office files from home or while travelling). It is not needed for file sharing that happens entirely within the office network. If staff need to access files from outside the office, a VPN is the correct solution.

What should we do if a staff member leaves? Immediately: disable or remove their Windows account on the host machine, revoke their NAS account, change the WiFi password if they knew it, change shared service account passwords if they had access. Do this on the day of departure.

Are USB flash drives a security risk? Yes, in two ways: they can introduce malware if inserted into machines, and they can be lost or stolen with data on them. Transitioning from USB-based file transfer to local network sharing reduces both risks — no data leaves the building on removable media.