Table of Content
In today's digital landscape, protecting your organization's data is more crucial than ever. Google Workspace, while powerful and convenient, can be vulnerable to various security threats if not properly managed. From phishing attacks to unauthorised access, the risks are real and potentially devastating.
Implementing robust security measures for your Google Workspace isn't just a good practice—it's essential for safeguarding sensitive information, maintaining client trust, and ensuring business continuity.
You've worked tirelessly to build your business. Don't let security risks undermine your success. Implement these measures to safeguard your business information.
This guide outlines key steps to enhance your Google Workspace security, helping you create a safer digital environment for your team and data.
1. Enforce Strong Authentication Methods
- Two-Factor Authentication (2FA): Mandate all users to enable 2FA, adding an additional security layer by requiring a secondary form of verification besides a password. This greatly minimizes the risk of unauthorized access, even if passwords are compromised.
- Encourage use of security keys for strongest protection: Security keys are physical small hardware devices that provide an extra layer of authentication beyond passwords and traditional two-factor methods. They offer strong resistance against phishing attacks. We recommend implementing 2SV throughout your organization, with a particular focus on admins and those managing sensitive data, such as financial records and employee information. Enforcing 2SV for these critical roles is essential.
2SV requires users to confirm their identity using both something they know (like a password) and something they have (such as a physical key or access code) to gain access.
Step 1: Inform Users About 2-Step Verification Implementation
Before rolling out 2-Step Verification (2SV), notify your users about the upcoming changes and the benefits of the new security measures.
Step 2: Enable 2-Step Verification for Users
For accounts created before December 2016, 2SV is enabled by default.
How to allow users to activate 2SV and choose their preferred verification method.
1. Sign into Google Admin Console.
a. Navigate to Menu > Security > Authentication > 2-Step Verification.
2. (To apply the setting to everyone, leave the top organizational unit unselected. Otherwise, select a child organizational unit or a configuration group.)
3. Check the option to "Allow users to enable 2-Step Verification".
a. Set the Enforcement to "Off".
b. Click Save.
- Password Management: Encourage the use of strong, unique passwords that are at least 12 characters long. Avoid using easily guessable information like birthdays or common words. Consider implementing a password manager to help users securely manage their credentials.
Utilize Google Password Manager to:
Generate and store robust, unique passwords directly in your Google Account, eliminating the need to memorize them.
Secure all your saved passwords with advanced built-in protection.
Effortlessly auto-fill passwords on websites and apps.
2. User Access Management
- Role-Based Access Control: Assign permissions based on users' roles within the organization. This limits access to sensitive data only to those who need it for their job functions, reducing the risk of data breaches.
- Regularly Review User Roles: Periodically audit user roles and permissions to ensure they align with current job responsibilities and remove access for users who no longer need it.
3. Monitor Synced Apps and Devices
As a Google Workspace domain administrator, it’s essential to regularly review the apps installed within your domain to safeguard your organization’s data. Synced apps and devices in Google Workspace can increase the risk of security incidents. As the number of applications and devices grows, so does the potential attack surface. But, there is no need to fret. There are security measures you can implement to protect your Google Workspace environment.
Audit Your Apps - Regularly review the installed apps to ensure they remain relevant and necessary for your organization.
Check App Permissions - Review permissions of these apps and enable approval before adding third-party apps. This helps in restricting unnecessary access to sensitive data.
Remove Unnecessary Apps and block access - If an app is no longer needed, remove it. Restrict access to Google Workspace data for less secure apps within your domain to enhance overall security. Also control access to Google core services such as Drive, Gmail, and Calendar. These reduce the attack surface and minimizes the risk of security breaches.
Educate Users on App Security - Train your users to be cautious about the apps they install. Emphasize the importance of using only trusted applications to avoid potential security threats.
Enable App Verification - Activate app verification to add an extra layer of security. This ensures the authenticity of apps accessing your Google Workspace.
4. Data Loss Prevention (DLP)
- Configure DLP Rules: Implement DLP policies to monitor and restrict the sharing of sensitive information, such as credit card numbers or personal identification numbers, across Google Drive, Gmail, and Google Chat. This helps prevent accidental data leaks.
Steps Set Up DLP Rules in Google Workspace
Here are the steps to set it up; (here is a video walkthrough)
1. Sign into your Google Admin console.
a. Navigate to Security > Data protection > Manage Rules.
b. Click on Add Rule to create a new DLP rule (only super admins can do this).
c. Provide a clear name that describes the purpose/description of the rule.
2. Go to Scope and choose users who you want to be affected by the rule (either choose the whole organization or OUs).
a. Click Continue.
3. Triggers and Conditions page:
a. Under Conditions, click Add Conditions.
b. It’s wise to choose ‘All Content’.
c. Choose other detectors/conditions as required by your organization.
d. Click Continue.
4. Actions page:
a. Select the desired options by clicking the Action under the Google Drive heading.
b. Set the severity of the alerts by choosing from the dropdown under Alerting.
c. Check the ‘Send to alert center’ box.
d. Click Continue.
5. Review page:
a. Review the summary of the rules.
b. Click Create.
6. Refer to the guide on the Google Workspace Admin Help for DLP Rules.
Refer to the guide on the Google Workspace Admin Help for DLP Rules.
- Limit External Sharing: Restrict sharing settings to prevent users from sharing sensitive documents with external parties unless absolutely necessary. Set sharing permissions to allow only specific domains or users.
Steps to manage external sharing setting in Google Workspace
1. After signing into your Google Admin console,
a. Navigate to Drive and Docs Settings > Apps > Google Workspace > Drive and Docs.
b. Click on ‘Sharing settings’ to view the sharing options available for your organization.
2. Under Sharing options, locate the setting for Sharing outside of your organization.
a. Change this setting from On to Off. This will prevent users from sharing files and folders with anyone outside your organization.
5. Educate and Train Employees
Security Awareness Training: Conduct regular training sessions to educate employees about phishing attacks, social engineering tactics, and safe online practices. Awareness is critical in preventing security breaches caused by human error.
Promote Safe Browsing Practices: Encourage users to follow best practices while using the Chrome browser, such as enabling Safe Browsing and being cautious with downloads and extensions.
6. Regular Updates and Maintenance
- Keep Software Updated: Ensure that all software, including Google Workspace applications, is regularly updated to protect against vulnerabilities. Google frequently releases security patches that should be applied promptly.
By following these best practices, businesses, both big and small, can significantly enhance the security of their Google Workspace environment, protecting sensitive data and maintaining compliance with regulatory standards.