The Admin’s Google Workspace Security Checklist
Every Google Workspace Admin strives to make their domain as secure as possible — It’s a job requisite with implications that can extend to all limbs of your organization.
In our quest to help admins achieve that, we’ve compiled a list of the 10 most recommended Google Workspace security practices by our security experts here at GAT Labs, and shared by Admins.
1. Review Your Drive Structure, Regularly
Having the right Drive structure is a gift that keeps on giving more Drive security.
It helps you better understand (and identify) security gaps or vulnerabilities across your domain’s Drive, and take more granular actions to protect sensitive data.
Make it a habit to regularly review your company’s Drive structure (maybe quarterly), and check for better Drive restructuring opportunities.
One tool that admins find super helpful here is GAT+. You can use it to move files and folders in bulk across your domain and conduct deep drive audits.
More on Shared Drive Structuring?
Check out our post: What’s the best Google Shared Drive Structure for my Organisation?
2. Improve Users’ Email Security
Your users’ mailboxes are usually the first doors security threats knock on. That can be through phishing emails, spoofing, etc. — Below are a few best practices there:
- Review email auto-forwarding: When users can have email auto-forwarding set in their Gmail settings and/or create filters that forward specific emails, it can bring in security hazards.
- Delete Spam, Inappropriate or Accidental Emails for Users: Whether it’s an email that got accidentally sent to the wrong user or group, an email that contains inappropriate content or sensitive information, or even one that has gone past spam filtering or is a phishing email.
- Turn on Email DLP: Email DLP detects sensitive data and private information and keeps it from leaking outside your organization via email. Read more.
3. Audit and Enhance Your Google Workspace DLP
Google Workspace security and Data loss prevention (DLP) walk hand in hand — that’s why you’ll always find DLP at the top of every admin’s security priority list.
To improve your domain’s DLP positioning below are a few CRUCIAL areas you’ll want to stay on top of:
- Drive File Ownership: Check out our post, How to Manage Google Drive File Ownership like a PRO.
- Drive File Sharing: Audit Internal & External file-sharing activities, and revoke file-sharing permissions when needed.
You can also use GAT+ to configure automated DLP triggers and alerts that help you manage file-sharing exposure with extra security.
- Identify and protect sensitive files (PII, GDPR, etc.): Check out our post, The Admins’ Google Drive Management Playbook.
- Email DLP: Don’t forget to email DLP as discussed in point #2 above.
- NEW DLP in Chat: Google recently rolled out a Beta feature for it to prevent data leaks from Chat messages and attachments. You can sign up for the DLP for Chat beta using this Google form.
4. Strengthen Users’ Identity Verification Processes
- Enforce & Monitor Strong Passwords: Send out regular password change reminders and change insecure passwords. Read more.
- Deploy 2-Step Verification (2FA) for your users: especially those who deal with sensitive data or those more susceptible to credential theft.
- Combat credential theft with Zero trust MFA: Speaking of credential theft. Admins today are taking their domain’s identity verification processes one step further using Zero trust techniques like typing behavior authentication.
This makes the identity verification process constant, rather than a single event at sign-in. Read more.
- Monitor Logins from abroad: Logins from unexpected areas abroad are one of the tell-tale signs of a compromised account. Especially now with the rise of remote work and eLearning.
One of the best ways to stay on top of this is by creating alerts for suspicious user login activities that happen from outside your City or Country.
*Check out our FULL 4 tell-tale signs of a compromised Google account.
5. Increasing Phishing Protection
Phishing is one of the most common cybersecurity threats in today’s digital world. That’s why you should never underestimate the power of one simple phishing scam.
How to combat phishing in Google Workspace?
- Phishing awareness: Raise your users’ phishing awareness using regular reminders and activities (especially around big holidays, like Christmas, when phishing activity typically goes up).
*Check out our 5 Tell-tale signs of a Phishing email, you can also share the post with your users.
- Prevent phishing with Google’s Password Alert Extension (Read more)
6. Perform Regular Google Workspace Domain Audits
‘’Powerful domain auditing is a prerequisite for Google Workspace security.’’
- Review unusual spikes/ activity in admin Console: That’s your first whisperer of security trouble. It can be unusual file deletions, downloads, failed login events, amplified file sharing, etc.
- Deploy security alert rules: You know the expression ‘’Saved by the bell’’? — Well that’s exactly how alerts work. Alerts rules help you automate your security processes.
- Get granular using a Google Workspace Auditing tool: While the admin console is a great place to start, it may not always be enough to secure and audit certain areas more granularly!
That’s why many admins today are using third-party tools like GAT to ramp up their domain security and auditing operations.
7. Secure Google Workspace User Offboarding
User offboarding has critical security implications that make it essential for your domain’s overall security (think of potential angry leavers and data protection obligations).
That’s why we’ve dedicated a post to How to Secure and Automate User Offboarding in Google Workspace in 5 Steps — Make sure to check it out for best offboarding practices.
8. Review Synced Apps And Devices
Synced apps and devices can also introduce unwanted security hazards to your domain. Especially when they require a lot of access permissions into your users’ Google environment.
Below are some best practices to follow:
I. FOR APPS:
- Always review Apps and their permissions.
- Control access to less secure apps for your domain.
- Control which apps can access Google Workspace data.
- Perform Chrome extension risk assessments (If applicable)
** You can also audit and set policies for apps running in your Google Workspace environment using GAT+.
II. FOR DEVICES:
- Make it a habit to regularly review Synced Devices and reassess your company’s device Policy.
9. Audit and Remove Suspicious Downloads
You’ll also want to protect your domain against malicious or unsafe downloads.
One simple practice to do that is to Set up an Alert rule to curb unsafe downloads across your domain.
Chrome GAT Tip: Use GAT Shield to report in real-time on downloads happening while the users are logged into their Chrome Browser profile. (Shield is the only DLP real-real-time solution in the market).
10. Deploy URL Blocking
Blocking users’ access to potentially malicious websites is our final best practice on the list today.
This helps you protect your organization from viruses and malicious content found on these websites.
To manage URL blocking for your users you can:
- Allow access to all URLs, except the ones you block.
- Block access to all URLs, except the ones you allow.
- Define exceptions to very restrictive blocklists.
- Allow Chrome browser to open apps.
You can also get more granular on your content filtering operation using GAT Shield and create site categories using Bulk imports of URLs.
GAT Labs for Google Workspace Security and Auditing
GAT+ is the number one security and audit solution for Google Workspace and Chrome in the market today — with 16M+ audited users worldwide.
So, have you tried any of the above practices yet? How did you find them, and do you have more tips and tricks to share with other fellow admins? — Let us know your thoughts on help@gatlabs.com
Stay in the loop
Sign up to our newsletter to get notified whenever a freshly baked blog post is out of our content oven.