The Essential Google Workspace Security Checklist

Protect your business data with these critical security configurations. Many businesses operate on default settings, leaving doors open for data breaches and unauthorized access. This guide will walk you through the essentials.

Enforce 2-Step Verification (2SV)

If you do only one thing from this list, make it this. 2-Step Verification requires a second form of verification in addition to a password. This means that even if a criminal steals a user's password, they can't access the account without their phone or a physical security key.

Implementation Steps

1. Navigate to the Admin Console: Security → Authentication → 2-Step Verification.
2. Don't just "allow" 2SV—enforce it for all users in your organization.
3. Set a grace period (e.g., 1-2 weeks) for your team to enroll before enforcement begins.

Strengthen Password Policies

Weak, reused, or easily guessable passwords are a primary cause of security breaches. Google Workspace allows you to set minimum standards for all user passwords, creating a strong first line of defense.

Your Action:

• In the Admin Console, enforce a minimum length of at least 12 characters.
• Enable password strength enforcement to block common patterns like "Password123".
• Prevent password reuse by blocking users from using their last 10-24 passwords.

Control Third-Party App Access

Each time an employee clicks "Sign in with Google" on a new service, they may grant that app ongoing access to emails, contacts, and files. Attackers specifically target poorly secured third-party apps as an easier entry point than attacking Google directly.

Your Action Plan:

1. Review current connections: Check `Apps → Connected Apps` to see what's already authorized and remove unused or untrusted apps.
2. Implement allowlisting: Create an approved list of trusted applications and block all others by default.
3. Schedule regular audits: Review connected applications on a quarterly basis to ensure continued compliance.

Protect Your Email from Spoofing

SPF, DKIM, and DMARC are like your email's digital passport. They are settings in your domain's DNS that prove emails sent from your domain are legitimate, preventing criminals from "spoofing" your email addresses to impersonate your company.

Your Action:

• Ensure all three of these records are correctly configured in your domain's DNS settings. This is a technical but essential step to protect your brand's reputation and prevent phishing attacks.

Lock Down Your File Sharing

One of Google Drive's best features—easy sharing—can also be its biggest risk. A common mistake is allowing users to share files publicly with "Anyone with the link," which can expose sensitive data to the entire internet.

Your Action:

1. In the Admin Console, set the default sharing setting to "Private" or "Only people in your organization."
2. Train your team to be intentional about who they grant access to, preferring to share with specific people rather than broad links.

Bonus: Additional Security Layers

Advanced Email Protection

• Enable advanced phishing and malware protection in Gmail security settings.
• Configure attachment protection to scan encrypted malicious content.

Access Controls

• Implement context-aware access to restrict logins from unrecognized devices or locations.
• Configure session length controls to automatically log out inactive users.