The Cornell default link access level is "people in this folder," or people who already have access. You have to make an explicit decision to make the links more open. 

A standard Box shared link looks like this: https://cornell.box.com/s/ub4eqjy4rvi4y813ty1m 

A custom Box shared link looks like this: https://cornell.box.com/v/betareaders. You have to set this friendly link explicitly when you create the link. 

Neither custom links nor open links should be used for data that you do not want disclosed, because it's relatively easy for outsiders to scan for and download your data. Some instances of Box customers who had shared sensitive data this way prompted Box to do this cleanup. 

There are many legitimate uses for sharing public information with open links. If you have one, you can check the link with the Share menu in Box, and set it to open, if appropriate for your data.  

Remove any links that you're no longer using, and review any sensitive data stored in Box to make sure the links are to "people in this folder" only.

For any files that were shared openly and contain PII (Personally Identifiable Information, such as Social Security Numbers, passports, or drivers licenses) or other sensitive data, the oversharing must be corrected and reported to the IT Security Office. 

For more information see Box's documentation about using shared links.