Google workspace is typically one of the most crucial environments for organisations. Administrators within Google Workspace have a range of privileges available to them, which can be utilised to bolster security.
In this guide, we wanted to share 7 quick tips that an administrator should configure within the Admin console (admin.google.com), helping to secure the Google Workspace environment.
The following recommendations are based on features available in the “Business Standard” Pricing tier and above. Some features recommended in this guide may not be available in the “Business Starter” Model.
1) Ensure everybody in the organisation is using strong passwords
Login to Admin console (admin.google.com)
Navigate to Security -> Authentication -> Password management
From there, ensure that the password management length is at least 12 characters
If you have employees already within Google Workspace, you want to consider ticking the “Enforce password policy at next sign-in” to ensure that all users will have to change their password to the new minimum length
Password expiry should be set to “never expires”, as it is no longer best practice to change passwords frequently (i.e. every 3 months)
2) Enforce two factor authentication (2FA)
It’s recommended that all users on Google workspace should have 2 factor authentication enabled. This is due to email accounts being the most critical accounts in possession for most employees. As a result, enforcing 2FA company-wide makes sense in most cases.
To do so, following similar navigation as the password management, you want to navigate from Security -> Authentication -> 2 step verification within the Google admin console. The following settings shown are recommended:
It's recommended that 2FA should be enforced across all user accounts to boost security.
You can choose an enforcement date by clicking “On from” if you wish to notify users beforehand that you will be enforcing 2FA - This is also recommended, so that people are not locked out of their accounts or feel like security is working against them.
3) Turn on alert monitoring
By navigating to the “rules” tab on the left-hand side of your Google Workspace Admin console, you can turn on alerts to notify an admin if various events were to occur.
We recommend having the following shown above enabled. These alerts should also be configured to send an email notification to your admins, allowing you to monitor for suspicious activity in Google Workspace.
4) Manage External sharing of Files
Choosing the rules you apply to external sharing of files will be dependent on your organisational functions. We recommend disabling the option to share a file (such as a Google Doc) to “anyone with a link”.
This will help reduce the likelihood of sensitive files being accessible by more people than intended. The “restricted” option is a better choice to ensure files are shared only directly with those who you intend to share with.
To switch this feature off through Google Admin console, navigate to Apps -> Google Workspace -> Drives and Docs -> Sharing Settings and untick the following box within the sharing options:
If you wish to apply this only to specific users, this can be controlled through the creation of “child organisational units”.
5) Create more than one Google Workspace Super Admin
One practical step we recommend is to have more than one super admin in Google Workspace.
This approach helps prevent a single point of failure, ensuring business continuity if one admin is unavailable or their account is compromised. It also avoids control of the entire organisation being assigned to one individual. We suggest designating someone from management as a super admin alongside an IT representative or another individual responsible for technical changes.
The number of super admins should still be limited and not handed out without careful consideration. Be sure to enforce strong security measures for these accounts and regularly review access controls to ensure appropriate levels of access and privileges are maintained.
To assign another user super admin privileges, within the Google Admin console you will need to:
Go to Users.
In the Users list, click the user's name.
Go to Admin roles and privileges.
Click the Super Admin role and click the slider to change it to Assigned.
Click Save.
6) Configure Account Recovery Options
On the Google Admin Console:
Go to Security
Click on Authentication
Navigate to Account Recovery
From here you have the option to decide if super admins and regular users can recover their own account or not. This will either allow self-account recovery, or will need an admin to perform the recovery depending if you turn these options on or off.
If you decide to give the option for self-account recovery, ensure that all users set up a recovery phone number or email address following this guidance.
7) Turn on Enhanced pre-delivery message scanning
Navigate to Apps -> Google Workspace -> Gmail -> Spam, phishing and malware and enable Enhanced pre-delivery message scanning.
This option allows Gmail to perform additional security checks on emails to help identify any suspicious content. Message delivery is slightly delayed as a result, however, this delay is nothing significant.
Overall, the aim of this guide is to help secure some quick wins for admins of an organisation’s Google Workspace environment. If you require any further assistance with this, we look at a handful of critical environments for SMEs as part of our Security Lockdown service.
For anything else, you can book a free call here or get in touch.
Comments