To protect your organization’s sensitive data and reduce the risk of account takeover, the most effective step is to follow best practices for user management and authentication. This guide clarifies the essential Google Workspace user security settings every business should implement to secure its account.
Protect Your Google Workspace Super Admin Accounts
Admin > Directory > Users
Super admin accounts hold privileges that enable wide-reaching changes in Google Workspace, so securing these accounts is critical.
- Create at least two separate super admin accounts.
- Avoid using super admin accounts for daily activities. An employee who is a super admin should have two accounts: a standard user account for everyday business and a super admin account for admin functions.
- Employees with a super admin account should not keep that account signed in on their devices.
- Generate backup codes for super admin accounts and store them securely in an encrypted password manager.
Enforce Strong Passwords for All Users
Admin > Security > Authentication > Password Management
Strong passwords are your first line of defense against unauthorized access.
- Enable “Enforce strong password,” with a minimum length of 16 characters. Password length decreases the risk of brute force attacks.
- Don’t allow password reuse. Password reuse is a vulnerability.
Enforce Multi-Factor Authentication (2-Step Verification)
Admin > Security > Authentication > 2-step verification
2SV adds an essential layer of protection against password and phishing attacks.
- Check “Allow users to turn on 2-Step Verification.”
- Require all new users to set up 2SV during account creation.
- For most businesses, the Frequency should be set to “Allow user to trust the device.” High-risk businesses might choose to force 2SV at every login.
- For most businesses, the Methods should use “Any except verification codes via text, phone call.” Methods that rely on phone or texts are not recommended and are vulnerable to compromise and phishing attacks.
Lock Down Google Workspace Account Recovery Settings
Admin > Security > Authentication > Account Recovery
Bad actors exploit weak account recovery options to take over accounts.
- Don’t allow super admins to recover their accounts. Restricting a super admin’s account recovery takes away an attack vector.
- Don’t allow users to recover their accounts. This forces account recovery to be performed by a super admin.
- Don’t allow users to add recovery email or phone numbers to their account. This takes away the recovery information attack vector.
Turn on Enhanced Malware and Phishing Protection
Admin > Apps > Google Workspace > Gmail > Spam, Phishing, Malware
The most effective way for an attacker to compromise accounts is through email-based attacks.
- Turn on enhanced pre-delivery message scanning. With the Enhanced pre-delivery message scanning option, when Gmail detects suspicious content, message delivery is slightly delayed so that Gmail can do additional security checks on the message.
- Turn on enhanced malware & phishing protection. This uses blocklists and AI to identify dangerous links in real-time and reclassify Spam faster.
- Enable security sandbox. This protects from dangerous attachments.
Audit Your Users
Admin > Directory > Users
Periodically, audit your user directory in Google Workspace to ensure there are no unintentional authorized users and that permissions are appropriate.
- Ensure users have appropriate permissions for their roles.
- Delete or deactivate any user accounts that are no longer with the company.
- Delete or deactivate any unassigned or unused accounts.
- Audit the user list for unrecognized accounts that a bad actor might have created. If you find this, it’s a sign that you’ve had a security incident, and you should consider reaching out to a firm like BlueCoat for assistance.