With the explosion of remote work and increasing digitalization, OneDrive has become an essential tool for storing and sharing professional files. However, this widespread adoption comes with major risks: in 2024, nearly 47% of businesses experienced at least one cyberattack (Independant.io), and data breaches cost an average of $4.88 million (IBM). In Switzerland, fines for FADP violations can reach 250,000 CHF. How does OneDrive for Business work securely? What are the best practices for protecting sensitive data? This guide presents 10 essential rules for transforming OneDrive into a safe, organized, and high-performing workspace.
Today, businesses store considerable volumes of data in the cloud. OneDrive for Business offers 1 TB of storage per user, expandable up to 25 TB as needed. This capacity allows organizations to centralize documents, contracts, client files, and strategic data.
However, this centralization also represents a prime target for cybercriminals. In 2024, 73% of data breaches originated from phishing and credential theft (NinjaOne). Additionally, human error causes approximately 90% of cybersecurity incidents according to multiple studies. Consequently, proper configuration becomes essential for effectively protecting OneDrive.
Companies based in Switzerland must also comply with strict data confidentiality requirements. Since September 2023, the new Federal Act on Data Protection (FADP) imposes sanctions for intentional violations. Although OneDrive has ISO 27001 certification and complies with GDPR, administrators must manually activate several security features. Without these settings, files remain vulnerable to accidental sharing, unauthorized access, and data leaks.
Two-factor authentication is the first line of defense against unauthorized access. Even if a hacker obtains the password, they cannot access the account without the second authentication factor. This measure drastically reduces intrusion risks.
To enable MFA on OneDrive for Business, several options exist. First, download the Microsoft Authenticator app on your smartphone. Then, access your Microsoft 365 account security settings. Select “Two-step verification” and follow the instructions.
Several verification methods are available: authenticator app (recommended), SMS, phone call, or FIDO2 physical security keys. The Authenticator app offers the best balance between security and convenience. SMS remains less secure as messages can be intercepted. Finally, always save recovery codes in a safe place.
OneDrive uses 256-bit AES encryption to protect data at rest, while the TLS 1.2 protocol secures transfers (Microsoft Learn). Each file is encrypted with a unique key, and these keys are stored separately from the data. This architecture ensures that no isolated component allows access to files.
For ultra-sensitive documents, OneDrive offers the Personal Vault. This feature adds an extra layer of security. It requires additional authentication with each access and automatically locks after inactivity. On paid Microsoft 365 accounts, there’s no file limit in this vault.
Additionally, some companies supplement this protection with client-side encryption tools like AxCrypt or Boxcryptor. These solutions encrypt files before transferring them to OneDrive. This way, even Microsoft cannot access the decrypted content. This approach is particularly suitable for regulated sectors like finance or healthcare.
Sharing errors represent one of the main causes of data leaks. OneDrive offers several types of links, each with a different security level. Understanding these options helps avoid accidental sharing.
For each share, precisely define permissions: view only, edit, or full control. Block downloads if necessary to prevent file copying. Add an automatic expiration date and, if needed, protect the link with a password. These measures significantly limit uncontrolled distribution risks.
Regularly review files shared externally. OneDrive allows you to view sharing history and instantly revoke access. This function proves particularly useful when an employee leaves the company or an external partner completes their assignment. Never leave permanent access unsupervised.
A well-designed folder structure makes finding files easier and reduces filing errors. Several approaches exist: organization by project, by department, by client, or by year. The important thing is to choose a consistent system and stick to it.
Adopt a standardized naming system for all files. For example: YYYYMMDD_Document-Name_Version. This structure allows chronological sorting of files and quick identification of their content. Avoid special characters like /, \, “, ‘, <, >, :, *, ? which can cause technical problems.
Limit the folder hierarchy depth to 3-4 levels maximum to avoid complexity. Use descriptive and understandable names. Keep in mind that the complete path should not exceed 260 characters, a technical limitation of OneDrive. Finally, train all employees on these conventions to ensure compliance.
Microsoft Purview Information Protection allows automatic classification of documents according to their sensitivity. This feature, integrated into OneDrive for Business, applies restrictions based on confidentiality level. It’s a powerful tool for data governance.
Define classification levels adapted to your organization. Typically: Public (accessible to everyone), Internal (reserved for employees), Confidential (restricted access), Secret (maximum protection). Associate automatic restrictions with each level: printing prohibition, external sharing block, enhanced encryption.
DLP (Data Loss Prevention) policies automatically detect sensitive data like credit card numbers, customer details, or personal information. When a user attempts to share a document containing these elements, the system blocks the action and sends an alert. This automation significantly reduces the risk of human error.
Each OneDrive for Business user has 1 TB of storage by default. While generous, this space is not unlimited. Quota saturation blocks synchronization and can lead to data loss. Proactive management is therefore necessary.
Use the “Files On-Demand” feature to free up local space without deleting files from the cloud. This option displays all your files in Explorer but only downloads them when you open them. It’s ideal for laptops with limited hard drive space.
Regularly identify large and obsolete files. Archive old projects or move very large files to SharePoint or Teams. Don’t forget that the OneDrive recycle bin keeps deleted files for 93 days. Empty it regularly to recover space. Finally, compress large files when appropriate.
OneDrive automatically keeps up to 25 versions of each file. This feature allows you to revert to a previous version in case of modification error, corruption, or ransomware attack. It’s valuable insurance against incidents.
The “Restore your OneDrive” feature allows you to return to a complete previous state in case of attack. OneDrive automatically detects suspicious activities like massive file modifications. The system then sends a notification and offers to restore the entire account to a specific date.
This protection proves particularly effective against ransomware that encrypts files. Unlike a local hard drive, OneDrive keeps unencrypted versions for 30 days. This duration offers a comfortable window to detect the attack and recover intact data.
Technology alone is not enough. Employees represent both the greatest vulnerability and the best protection. Regular training is therefore essential to reduce human errors, which are responsible for the majority of security incidents.
Draft a clear document defining usage rules: naming conventions, sharing policy, sensitive data handling, incident procedures. All employees must sign this policy during onboarding. It serves as a reference in case of violation.
Organize practical workshops on security features. Concretely demonstrate how to enable multi-factor authentication, use Personal Vault, or check sharing permissions. Demonstrations are better than lengthy manuals. Also test knowledge with phishing simulations to measure vigilance levels.
The Microsoft 365 admin center offers numerous settings to strengthen overall security. These settings apply to the entire organization and complement individual measures. Only administrators can access them.
Configure DLP rules to automatically block sharing of sensitive data. For example, prohibit external sending of documents containing social security numbers, bank details, or medical information. The system analyzes content in real time and blocks non-compliant actions.
Enable audit logs to track all actions on OneDrive: access, modifications, sharing, deletions. These logs allow quick identification of abnormal behavior. In case of incident, they provide essential evidence. Keep these logs long enough to meet Swiss FADP requirements.
OneDrive, SharePoint, and Teams form a cohesive ecosystem. Each has a specific role: OneDrive for personal files, SharePoint for team sites and collaborative projects, Teams for conversations and channels. Understanding these interactions optimizes collaboration.
When you share a large file by email, Outlook can automatically create a OneDrive link instead of an attachment. This practice avoids the 25 MB attachment limit and ensures all recipients access the latest version. Additionally, permissions remain controlled through OneDrive.
In Teams, files from private conversations are stored in OneDrive, while those from public channels go to SharePoint. This logical separation makes access management easier. However, remember to regularly back up this data with a third-party solution to comply with the 3-2-1 backup rule (three copies, two different media, one offsite).
Securing and organizing OneDrive for Business requires a comprehensive approach combining technology, procedures, and training. The 10 rules presented in this guide cover essential aspects: enhanced authentication, encryption, permission management, file organization, data classification, quotas, version history, user awareness, administrative policies, and Microsoft 365 integration.
By applying these recommendations, Swiss and international businesses significantly reduce their exposure to cyberattacks and data leaks. FADP penalties can quickly add up, but beyond the financial aspect, it’s reputation and customer trust that are at stake. OneDrive then becomes a powerful and secure tool, facilitating collaboration while protecting information assets.
Cybersecurity is not a destination but a continuous process of improvement and adaptation to new threats. Regularly train your teams, audit your configurations, and stay informed about developments in how OneDrive for Business works and its new protection features.
How does OneDrive for Business work compared to the personal version?
OneDrive for Business offers 1 TB of storage (expandable to 25 TB), integrates advanced security features (DLP, classification labels, complete auditing), and belongs to the organization rather than the user. It integrates natively with SharePoint and Teams for optimal enterprise collaboration.
Are my OneDrive for Business files truly private?
OneDrive for Business files legally belong to the organization. Administrators can access them when necessary, particularly when an employee leaves. For maximum confidentiality, use Personal Vault or client-side encryption with third-party tools like Boxcryptor.
Can I recover a file deleted more than 93 days ago?
By default, the OneDrive recycle bin keeps files for 93 days. Beyond that, only the administrator can attempt recovery through the second-level recycle bin, but without guarantee. A third-party backup solution like Veeam or AvePoint then becomes essential for maintaining longer history and ensuring business continuity.
How can I prevent downloading of a shared file?
When sharing, select advanced options and uncheck “Allow download.” This restriction forces online viewing only and prevents users from saving a local copy. It applies to both external and internal sharing and effectively protects against unauthorized distribution.
Is OneDrive for Business compliant with Swiss FADP?
Yes, OneDrive complies with FADP and has ISO 27001 certification. Microsoft stores data in European data centers for European customers. However, complete compliance also depends on your configuration (enabling labels, DLP, audit logs) and your internal procedures for managing and reporting violations.
ITTA is the leader in IT training and project management solutions and services in French-speaking Switzerland.
Our latest posts
Subscribe to the Newsletter
Consult our confirmed trainings and sessions
Monday to Friday
8:30 AM to 6:00 PM
Tel. 058 307 73 00
ITTA
Route des jeunes 35
1227 Carouge, Suisse
Monday to Friday, from 8:30 am to 06:00 pm.
