Critical Security Features to Enable in Google Workspace

Part of the Education Series by Advisory 

For many small and midsize businesses, Google Workspace is the backbone of daily operations — email, storage, collaboration, and identity all in one place. But too often, companies set it up once and never revisit the security settings. The result? Unnecessary risk, avoidable breaches, and preventable downtime.

This guide highlights the critical security settings every SMB should enable in Google Workspace, especially if you don’t have a dedicated IT team. These are practical, high-impact steps that dramatically improve your security posture without requiring advanced technical expertise.

1. Enforce Multi-Factor Authentication (MFA)

🔑 Why This Matters

MFA is the single most effective protection against account compromise. Over 99% of automated account attacks fail when MFA is turned on.

✅ What to Do

• Go to: Admin Console → Security → Authentication → 2-Step Verification
• Require MFA for all users — don’t leave it optional.
• Prefer Google Prompt or hardware security keys over SMS.
• Create a tiny “2FA Exempt” group for service accounts (if absolutely needed), and review it quarterly.

2. Strengthen Password & Identity Policies

Why It Matters

Weak or reused passwords remain among the most common causes of breaches.

✅ What to Do

• Enforce 12-character minimum passwords.
• Prevent password reuse.
• Enable secure self-service password reset.
• Encourage organization-wide use of a password manager (1Password, Bitwarden, etc.).
• Use logical Organizational Units (OUs) to apply stronger policies to sensitive user groups (Finance, HR, Executives).

3. Maintain Strong Account Hygiene

Why It Matters

Inactive or forgotten accounts are a major security risk — attackers love them.

✅ What to Do

• Audit user accounts every 30–60 days.
• Immediately suspend or archive inactive users.
• Use Shared Drives or Google Groups instead of keeping old user accounts active.
• Build a simple onboarding/offboarding checklist tied to HR to eliminate mistakes and ensure consistent data handling.

4. Lock Down Admin Accounts

Why It Matters

Admin accounts can access everything — they must be treated with care.

✅ What to Do

• Create separate, dedicated admin accounts (do not use personal work accounts).
• Require hardware keys (e.g., YubiKeys) for all admins.
• Limit super admins — aim for no more than 2–3.
• Review admin roles every quarter.
• Turn on admin activity alerts (password resets, privilege changes, MFA changes).

5. Control Third-Party App & API Access

Why It Matters

Many breaches now occur through malicious or over-permissioned apps.

✅ What to Do

• Visit: Security → API Controls → App Access Control
• Review which apps users have connected using “Sign in with Google.”
• Block or restrict unverified or unnecessary apps.
• Require approval for new third-party integrations.
• Warn users about data-sharing when authorizing apps.

6. Tune Session & Access Policies

Why It Matters

Long login sessions and unmanaged devices increase the chance of unauthorized access.

✅ What to Do

• Reduce session duration for sensitive apps (e.g., Google Admin).
• Enable context-aware access to block:
  • Outdated OS versions
  • Untrusted networks

  • High-risk geographies

• Restrict access to trusted devices using Endpoint Management.
• Enforce MFA for new devices or unfamiliar locations.

7. Harden Email & Domain Security

Why It Matters

Email is still the #1 attack vector for SMBs — phishing, spoofing, and malicious links.

✅ What to Do

• Ensure SPF, DKIM, and DMARC are configured correctly.
• Turn on enhanced anti-phishing protections.
• Disable external auto-forwarding.
• Maintain a blocked sender list.
• Enable Gmail Security Sandbox for attachment scanning (available on higher tiers).
• Consider restricting Confidential Mode to limited groups.

8. Implement DLP & Safe File-Sharing Defaults

Why It Matters

Small mistakes (accidental sharing of sensitive info) create big security risks.

✅ What to Do

• Enable basic Data Loss Prevention (DLP) for Drive and Gmail.
• Use templates that match your region (don’t enable rules irrelevant to your business).
• Configure external sharing defaults:
  • Allow only trusted domains
  • Limit who can create Shared Drives
  • Require business-critical files to live in Shared Drives, not My Drive

• Set alerts or Slack notifications for DLP violations.

9. Add Backup & Recovery Protections

Why It Matters

Google Workspace is resilient, but it is not a backup solution. Mistakes, deletions, and malicious actions still happen.

✅ What to Do

• Implement a third-party backup (CloudAlly, SpinBackup, Acronis).
• Ensure it includes Gmail, Drive, Shared Drives, and Calendars.
• Test restores at least twice per year.
• Include your backup strategy in your business continuity plan.

10. Enable Security Alerts & Monitoring

Why It Matters

If you aren’t watching your environment, you won’t know when something goes wrong.

✅ What to Do

• Turn on alerts for key events:
  • Admin role changes
  • Suspicious logins
  • Mass file transfers or deletions
  • Spam spikes

• Route alerts to a shared email or Slack channel.
• Assign someone to review alerts weekly — even just 10 minutes helps.

11. Secure Chrome & User Browsers

Why It Matters

The browser is the new endpoint. Most security issues start here.

✅ What to Do

• Manage Chrome Browser from the Admin Console.
• Enforce Safe Browsing and block risky extensions.
• Prevent users from syncing personal accounts to corporate browsers.
• Standardize extension policies to reduce malware risk.
• Push baseline settings (homepage, bookmarks, pop-up blocking, etc.).

12. License Optimization (Optional but Helpful)

Why It Matters

Many small businesses overspend on licenses they don’t need.

✅ What to Do

• Review license tiers annually.
• Reclaim unused licenses from archived or offboarded users.
• Compare the features you need with Enterprise vs. Business tiers — some higher tiers actually save money by consolidating external tools.

13. Bonus: Recommended Enhancements

Consider Also

• Security Awareness Training (KnowBe4, Hoxhunt, Curricula).
• SSO + centralized identity (Okta) for stronger control.
• Zero Trust principles (verify every user, every device, every time).
• Retain audit logs for at least 6–12 months to support investigations.

Final Thoughts

Securing your Google Workspace environment doesn’t require a big IT team or complicated tools — but it does require doing the right things early. Implementing the above controls dramatically reduces the chances of account compromise, data loss, and business disruption.

If you’d like Advisory to perform a Google Workspace Security Audit or help you implement these best practices, we’d be happy to support you.