Google Workspace is the central work platform for many SMBs: Gmail, Drive, Meet, Calendar — all in one place. But the default configuration is optimized for usability, not security. Most security features are available but not enabled.
Why Default Settings Aren't Enough
A freshly configured Google Workspace tenant allows external file sharing by default, has no enforced two-factor authentication, and no DLP policies. This means any employee can share sensitive documents via link with the entire world — accidentally or intentionally.
According to industry reports, misconfigured cloud services are among the top three causes of data breaches in small and medium businesses.
The 7 Critical Settings
1. Enforce Two-Factor Authentication
Passwords alone don't protect accounts. Enforce 2FA for all users in the Admin Console under Security → 2-Step Verification. Allow only security keys and the Google Authenticator app — no SMS codes.
2. Restrict External File Sharing
Under Apps → Google Drive → Sharing Settings, you can restrict external sharing to specific domains or display a warning. For particularly sensitive organizational units, external sharing should be completely disabled.
3. Control Third-Party App Access
Third-party apps requesting OAuth access to Google data are a common entry point. Under Security → API Controls → App Access Control, you can block untrusted apps and only allow vetted applications.
4. Configure Email Authentication
SPF, DKIM, and DMARC protect your domain from email spoofing. Without these records, attackers can send emails that appear to come from your organization. Configuration is done in your DNS settings and the Google Admin Console.
5. Secure Account Recovery
Under Security → Account Recovery, enable the setting that only administrators can recover accounts. Disable self-recovery for privileged accounts — this prevents social engineering attacks via the support path.
6. Enable Gmail Security Rules
Gmail offers advanced settings under Apps → Gmail → Safety: attachment protection, link protection, and spoofing detection. These features are included in most licenses but not configured at the strictest level by default.
7. Set Up Audit Logs and Alerts
Under Reporting → Audit Logs, you can track suspicious activities: unusual logins, mass file downloads, administrator changes. Set up email notifications for critical events.
What's Often Overlooked
The most common gap isn't a missing feature — it's shadow IT. Employees use personal Google accounts alongside their company account and move documents between both. Without clear policies and technical controls, sensitive data leaves the organization unnoticed.
Another blind spot: super admin accounts without their own security policies. Administrator accounts should never be used for daily work. Create separate admin accounts with enforced security keys.
The Difference Between License and Configuration
Google Workspace Business Standard and Business Plus already contain extensive security features. The problem isn't missing licenses — it's missing configuration. A structured security audit reveals in a few hours which settings are active, misconfigured, or disabled.
Next Steps
A Google Workspace Security Audit systematically checks all security-relevant settings of your tenant and delivers concrete, prioritized recommendations.
Book a Google Workspace Audit to learn the current security status of your environment.