Block Google Workspace security risks with the right settings

Many companies use Google Workspace with the standard settings – something I see as a good starting point to improve on. The reason is that Google Workspace is meant to remove work roadblocks, not increase them. That’s why the standard settings are not too strict: companies are free to tailor them to their own processes.

So if you haven’t yet reviewed the security settings of your Google Workspace, I recommend taking action. Read what risks it has and how you can block them with the right settings. 👇

Risk #1: Wrong people gain access to information due to human error 🗂

No digital tool is ever 100 % secure – not Google, Microsoft, or any other. Why, you might ask? Because the most significant security risk is one we can’t remove; the employees.

With Google Workspace's standard settings, all employees can share and email information to anyone they want to.

All it really needs is a simple mistake: one email containing internal information is exposed to external users. In this case, the employee has all the responsibility, and that’s not good.

So to guarantee the security of your businesses’ documents and data, you need to take extra steps to leave as little room for human error as possible.

• Check user accesses. In my experience, not everyone needs to access everything. You should always share business-critical data so that only the people who need to see it can do so. In Google Workspace, you can create role-based accesses. This way, for example, employees and external people can view only files that are relevant to them.
  
  
• Adjust sharing rights. Another thing to think about is who needs to be able to share different files and folders. Sometimes viewing rights are enough, decreasing the risk of important information ending in the wrong hands. You can also determine this based on roles or by creating different sharing settings for folders.
  
  
• Make stricter sharing settings the new standard. Even in cases where sharing is allowed for anyone, you can minimize risks by making the view-right a default setting. This way, employees need to consciously change the sharing setting to give more access to the receiver.
  
  
• Create common practices and train your employees to follow them. All employees should know who they can share data with and how they should do it. I.e., files should never be downloaded and shared via email, but always shared from Google Drive. You can’t unsend a file, but revoking access on Drive is easy and can be done whenever.
  
  
• Think about the whole employee life cycle. How will a new employee get access to Google Workspace? And when an employee leaves, when will they lose that access? In the best-case scenario, these processes are automated.
  
  
• Create time limits for accesses. With the Google Workspace Enterprise license, you can limit how long a shared file will remain shared. New features are coming up that will help with this.

Risk #2 Bad passwords open doors for cyber criminals 🔐

Google Workspace is very safe from the cybercrime perspective. Still, the default settings allow the users to authenticate using only a password along with their username.

If you think about it, how many services do you use at work and in a personal context?

Human memory is limited, so most people use the same passwords in different services. The problem arises when one service gets hacked, and the passwords leak to the world.

Enforcing scheduled password changes is not useful since taking over an account is done in minutes after a password is leaked. Password complexity requirements increase the risk that users will store the passwords in plaintext form and password reuse prevention will likely lead to users adding just enough characters, based on some easy rule or an increasing number after the same password.

• Use 2-step verification. Add another identification method on top of passwords. One decade ago this was a code that arrived on your phone via text message. Since at least 2016, SMS has not been deemed safe from hackers. Instead, use a FIDO security key like those made by Yubico. Simple solution, but too many companies don’t yet have this feature in use.

This paragraph was edited to encourage the use of a separate physical security key instead of a mobile prompt. Users have been reported to authorize attackers simply by flooding them with login requests. Thus, the mobile prompt, while convenient, relies too much on the user.

Risk #3: Employees use Google accounts to sign in to external services 🧑‍💻

It sounds a bit random, I know, but in all honesty, it is a much bigger risk than most companies realize. These days many online services and applications offer the possibility to sign in via third parties, like Facebook, Google, or Microsoft.

Often we choose that option because it’s easier than creating yet another new account and password. But from your business's perspective, this creates a considerable risk.

When employees sign into services with their Google account, they need to allow the app access. This means the service gains the same access as the employee to the services or parts of the services it request – often without the employee realizing it. For example, an app could ask for write access to the user’s Google Drive or Calendar.

It’s only a matter of time before someone uses this to steal data from businesses.

As a standard setting, Google Workspace allows employees to use their accounts to sign in to any services. So unless you block or limit this, your employees can sign in and authorize whatever they want to with their work account.

• Choose the services employees can sign in to with their Google account. You can choose where employees can use their work-related Google accounts. You can either pick services that you know are safe: Slack, Happeo, and so on. Or, if the employees don’t need any external services for their daily work, you can block this opportunity entirely.

Risk #4: Phishing emails trick the employees 🎣

Old school, but it works way too well for cybercriminals. The issue is that no email service has been designed for the modern world. It’s like fax ten years ago – not in any way today’s tool, but every office still has one.

Basically, all security has been built on email services afterward – glued on top instead of being designed as part of them.

Another thing is that phishing emails look much more convincing these days than they used to. The email might even look like it was sent from your company's CEO.

This is not something you can manage purely through the admin settings but there are other solutions.

• Make sure phishing emails are blocked. This way, they don’t end up in your employees’ inboxes. Or they arrive with such big warnings they can’t be mistaken for something else.
  
  
• Think of the role of your company’s brand. How bad would it be if a customer received spam under your company’s domain name? You can’t prevent cybercriminals from sending these emails, but you can help the recipients to mark them as spam. This way, they won’t arrive in anyone's inbox.

+1 set up notifications for efficient monitoring and take full advantage of new features 🔔

• Make sure your security notifications are on. You should know immediately if something urgent happens that needs attention. For example: if a user is signing in from an unusual location, they download or share too much or too sensitive content, or if someone has been granted access to where they are not expected to.
  
  
• If you don’t have time to follow the reports and notifications, get a partner to do it. This is included, for example, in our Your Google Workspace service. We will monitor the environment and take action if something critical is going on.
  
  
• Stay on top of new features. New features are added to Google Workspace constantly. For example, future features will help you monitor shared documents. You can see what has been shared outside of your organization and when. If something hasn’t been used in a while, Google suggests unsharing it.
  
  
• Update your licenses when the time comes. This way, you get new features and possibilities to improve your security. For example, Enterprise licenses have multiple security features other licenses don’t include.

Test if your Google Workspace is in shape

If you’re not sure where to begin, do our free Health Check. You can quickly see if your Google Workspace needs some work.