Which of these scenarios sounds scarier:
A bad guy manages to compromise an employee’s email account.
A bad guy manages to compromise an employee’s Google Workspace account.
If you’re a Google business, hopefully you picked the second option!
While business email compromises are always bad, Google Workspace’s functionality as an online office suite and document storage solution puts a lot more data at risk. Email, file storage, document collaboration, calendar, sites, even video conferencing – if you are a Google shop, Google Workspace is the backbone of your company’s productivity and day-to-day operations. To make matters worse, it’s likely that sensitive and confidential business data is stored on every Google Drive.
All businesses using Google Workspace should account for the large risk of a Google account compromise by implementing the best security settings for Google Workspace possible.
Thankfully, Google Workspace mostly has strong default security settings (
unlike Microsoft Office 365), but there is room for improvement.
Google Workspace Security Settings
While many of Google’s default security settings are actually quite good, they’re not all perfect. Additionally, it’s possible for organizations to drift away from the best Google Workspace security settings if they were not purposefully configured in the first place. The following settings are Fractional CISO’s recommendations to maximize the security of your Google Workspace environment.
Note that these settings are for the most common license, business standard, used by most medium sized companies. More enhanced security options are available with Business Plus or Enterprise licenses. You need to be logged in as a Google Workspace Admin (or Google Admin) in order to configure these settings. If you aren’t a Google Workspace expert or admin, you should be able to hand this article over to one so they can check your environment’s settings and implement any needed changes.
Account and Authentication
Password settings can be found at
Security > Password Management.
Google’s default password requirement is 8 characters, which is actually pretty weak. An 8 character password can easily be cracked by a computer that just guesses all of the different variations it could be. Longer passwords increase the password entropy – how many guesses it would take to find the right password – dramatically increasing password security.
Recommended Setting: Increase minimum password length at least 12+. Longer passwords are always better!
Requiring the use of password managers helps employees run strong, unique passwords.
Recommended Setting: Check “Enforce strong passwords.” Force users to use random strings of characters because just relying on the length of the password is not enough.
Recommended Setting: Uncheck “Allow password reuse.”
Note: setting passwords to ‘never expire’ is okay ONLY if 2-step verification is enforced for all users.
We recommend that all organizations mandate the use of password managers, they make adopting good password hygiene much easier.
Multi-factor Authentication (MFA)
Multi-factor authentication settings can be found at
Security > 2-Step Verification.
(MFA) greatly increases the difficulty of compromise and reduces risk as an attacker will now have to compromise at least two different authentication mechanisms.
MFA is NOT enabled by default.
Recommended Setting: Enforce 2-step verification for all. To make life a little easy for everyone, turn ON “Allow users to trust the device”
Recommended Methods: Any set of methods are okay, but authenticator apps are the most secure option. Having something (anything) for MFA is still better than having nothing at all. It is the best compromise between convenience and security.
Drive and Documents
Apps > Google Workspace > Drive and Docs > Sharing Settings
Google Drive and Documents are used not only to collaborate on documents but also to share files and documents. That makes it important to manage permissions and keep in mind what kind of files are being shared with whom.
The settings here really depend on your organization’s requirements and use cases. If the data you are sharing is sensitive, you need to be certain that it is being shared with a trusted person and that they will not pass it on. Fortunately, even though Google’s folder structures can get in the way of effective organization and productivity, they do allow some good settings when it comes to file and folder sharing and access.
We recommend using caution when choosing permissions for your files and folders to ensure the privacy and security of the organization’s data. Ask yourself and your team- Is there a use case for this? Do users need this level of permission or access to do their jobs?
> Sharing Options
Recommended: Turn OFF to ensure users cannot publish files to the web or make visible to the world as public or unlisted.
Default: ON (users are allowed to publish).
Recommended: Ensure only users inside your organization can distribute content externally.
Default: Anyone with access to a file can distribute it externally.
Recommended Setting: For files owned by users in Company warn when sharing outside of Company: ON
Recommended: Allow users in Company to send invitations to non-Google accounts outside of Company: ON
Recommended: Allow users in Company to publish files on the web or make them visible to the world as public or unlisted files: OFF
> Shared Drive Creation
Recommended: Prevent users from creating new shared drives: OFF
Recommended: Allow members with manager access to override the settings below: OFF
Recommended: Allow users outside your company to access files in the shared drives: ON
Recommended: Allow users who aren’t shared drive members to be added to files: ON
This will let you follow the need to know policy by allowing users to access a particular file without getting access to the entire drive
Recommended: Allow viewers and commentators to download, print, and copy files: OFF
> Link Sharing
Gmail Security Settings
Apps > Google Workspace > Gmail
> User Settings
Recommended: Let users delegate access to their mailbox to other users in the domain: OFF
Google has good defaults for Gmail. Don’t let users delegate access to their mailbox, only admins should be allowed to delegate access to a user’s mailbox.
> Spam, Phishing and Malware
Recommended: Enables improved detection of suspicious content prior to delivery: ON Use Email Whitelist to prevent emails from certain addresses from being marked as spam if needed.
> Safety > Attachments
Recommended: Turn all attachment security settings to ON
Default: All attachment settings are ON.
> Safety > Spoofing and Authentication
Recommended: Ensure that all settings are ON.
Recommended: Set action to ‘Move email to spam’
Default: All OFF. Action set to ‘Keep email in inbox and show warning’
Though some of these settings may be a little restrictive, for example- “Protecting against inbound emails spoofing your domain” may cause trouble if you enable them before configuring both Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) and “Protect against any unauthenticated emails” will identify and (possibly) move to spam any email that does not pass either SPF or DKIM tests. However, the first two- protecting against spoofing from similar domain names, employee names seem like no-brainers, right? So why does Google not have them ON by default?
Tip: You can use EmailSpoofTest– an email self-penetration testing platform to test and validate the security of your email system.
> Safety > Links and External Images
Recommended: Ensure that all settings are ON
> Safety > IMAP view time protections
Recommended: Enable IMAP protection: ON
> End User Access > POP and IMAP
Recommended: POP and IMAP access is OFF for all users
Disabling POP and IMAP is highly recommended. It would prevent use of legacy and unapproved email clients with weaker authentication mechanisms to bypass MFA that would increase the risk of email account credential compromise.
High user impact: If you have Apple iOS or Android device users in your organization and you turn IMAP off, let them know that they’re no longer syncing Google Workspace mail to the iOS or Microsoft Outlook. They might not get a notification on their device. Additionally, new users can’t manually add the Google Account they use for work or school to the device.
If your Google Workspace users want to use desktop clients, such as Microsoft Outlook and Apple Mail, to access their Google Workspace mail, you need to enable POP or IMAP access in the Google Admin console. You can enable access for everyone in your organization or only for users in specific organizational units.
> End User Access > Automatic forwarding
By default in Gmail, all users are allowed to automatically forward email to another address. This is not the most secure setting. In the event that an attacker gains control of an end-user account they could create rules to exfiltrate data from your environment. Care should be taken before implementation to ensure there is no business need for case- by-case auto-forwarding. Disabling auto-forwarding to remote domains will affect all users and in an organization.
Recommended: Ensure per-user outbound gateways is OFF.
Default: per-user outbound gateways is OFF
Good Google Workspace Security Settings are just the Beginning
Getting good Google Workspace security settings in place is just the beginning of securing a Google Workspace environment. This doesn’t cover topics such as drive permissioning best practices, complete spoofing protection, or end-user security awareness training.
Despite the good defaults, don’t get lazy about checking these settings! Perform regular reviews of this list and your settings, and keep an eye on Google’s Security Health Recommendations to make sure you are maximizing your Google Workspace environment’s security at all times.
Google Workspace is an extremely valuable tool, so the time and effort required to secure it is very much worth it to protect the information, reputation, and brand value of your organization.
Want to get great cybersecurity content delivered to your inbox? C lick here to sign up for our monthly newsletter, Tales from the Click.