We recently had this exchange regarding email security with a client:
Client (Microsoft user): We got acquired and now our parent company wants us to move from Microsoft Office 365 to Google Workspace.
vCISO and me: Oof, that sounds like a lot of work! But frankly, we’re a little relieved to hear that.
Why would we be relieved to learn they’re switching providers?
Phishing remains the single most prevalent attack vector in 2022. And several other attacks originate at the organization’s end, like human error, malicious insiders, malware, ransomware. Because they are so numerous, putting controls in place to mitigate their risk is very important.
The two leading business email services, Microsoft 365 (Outlook) and Google Workspace (Gmail), can do a lot on their end to help their users out with this. Here’s the thing: Google builds good protection into Gmail by default. Microsoft does not do the same for Outlook.
Note: We are using Outlook and Gmail in this article based on colloquial language used by many of our clients.
Gmail vs Outlook: The Core Differences
Though a lot of aspects like app features, collaboration, availability, support, compliance are similar, the approach and design of the systems are different. So naturally, the approach towards security is also different.
When people say Gmail, they are referring to an email provider – an email service provided by Google along with the platform created to access and manage the email service. Outlook (or Microsoft 365 email) on the other hand is an email client. It is an application designed to help people manage email. Microsoft and Google solve different security problems, so security is a tough category to evaluate.
Gmail is much more secure out of the box
Both Gmail and Outlook both offer more or less the same security features: multi-factor authentication, encryption in transit, spam, phishing, and malware detection. The difference lies in how the features are made available to different tiers and how much fine-tuning is required.
Gmail generally has more secure defaults. For example: email scanning for malicious emails. It’s an obvious control that every system should have on all the time. Gmail has it on by default, but Outlook does not.
Reduced phishing emails in inbox
Both Outlook and Gmail stop a large portion of spam and phishing emails from flooding your inbox. But, in our experience, Gmail has a much more robust anti-spam technology and our Gmail clients report far fewer phishing or spoofed emails in the inbox. The difference really is significant in our experience.
Google takes malware threats very seriously. They use both automatic and manual scanners to scan the Google search index to determine which websites may be malware or phishing traps. Compared to this, Microsoft has had bugs to work with in terms of threat detection. Be it Exchange Server and its vulnerabilities that are widely exploited, or Outlook for Mac that allows malicious actors to use the email service to distribute malware, or sometimes even the over-enthusiastic Defender that blocks or quarantines legitimate messages.
For Security, Gmail is a much better value.
Gmail also has great security features like scanning/blocking malicious hyperlinks, anti-phishing, attachment scanning available with their standard plan. Outlook, on the other hand, only offers some of these features and that too with advanced licenses. A more advanced Microsoft license can also buy you ‘Advanced Threat Protection for Attachments’ and ‘Advanced Threat Protection Safe Links’ on top of the ‘regular’ protection for attachments and links. Google gives all (except one) email security features with even its most basic license – offering a good level of protection even for entry-level users and very small businesses.
That’s not to say Gmail is perfect. They have less customizable security features than Outlook.
For instance, Outlook allows filtering attachments by file types, or setting extra protections for certain groups, which Gmail does not.
Overall, Google’s budget plans offer better security features and have better default settings.
Outlook vs Gmail: Should I switch to Gmail?
While this might seem odd after comparing the two, our answer to this question is categorically no! The amount of time and effort it would take to switch your email and cloud office provider would not provide a worthwhile return on your security investment.
Instead, if you are using Microsoft’s basic E3, Level 1 license, we recommend fine-tuning their settings and using an additional email security tool to secure your environment. Some options include GreatHorn, Avanan, and Mimecast, they all provide layered, defense-in-depth security features and sometimes even integrated incident response.
And if you do find yourself in a situation like a merger, where you have to pick a provider? Know that Google provides better security by default.
Your Configuration Matters
Regardless of whether you are using Gmail vs Outlook, ensure that you have it set up right. Refer to our guides on Outlook email security settings and Google Workspace secure configurations for simple instructions to configure both for better security. Lastly, you cannot just rely on technical controls, it is highly important to ensure security awareness amongst employees and an overall culture of security in the organization.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.