I
InflectionMSP
Back to Blog
CybersecurityMarch 10, 20268 min read

The Google Workspace Security Checklist Every SME Should Run

Most businesses have Google Workspace configured out-of-the-box. Most of those configurations have at least three critical gaps.

Your Google Workspace Is Probably Less Secure Than You Think

Google Workspace is excellent out of the box. It's also configured for convenience by default, not security. Most businesses with 5 to 100 employees deploy Workspace, set up email, and never touch the admin console again. That default state has real gaps.

We audit Google Workspace environments regularly for our clients. Here are the most common issues we find, and how to fix each one.

1. Enforce Multi-Factor Authentication (MFA)

The gap: MFA is available in every Google Workspace tier but is not enforced by default. If even one admin account lacks MFA, your entire domain is one phished password away from compromise.

  • Open Admin Console > Security > 2-Step Verification
  • Set enforcement to "On" for the entire organization
  • Allow a 1-week enrollment period so users can set up their authenticator app or security key
  • Require security keys for all admin accounts (not just SMS or TOTP)

Why it matters: According to Google's own data, MFA blocks 99.9% of automated account compromise attempts. This is the single highest-ROI security control you can deploy.

2. Restrict Third-Party App Access

The gap: By default, any user can grant third-party applications access to their Google account via OAuth. This means a marketing intern can authorize a random Chrome extension that has full read access to their email and Drive files.

  • Admin Console > Security > API Controls > App Access Control
  • Set the policy to "Don't allow users to access any third-party apps" or maintain a curated allowlist
  • Review currently authorized apps and revoke any that are not business-critical

Why it matters: OAuth token theft is one of the fastest-growing attack vectors. A compromised third-party app can exfiltrate data without ever needing the user's password.

3. Configure Data Loss Prevention (DLP) Rules

The gap: Without DLP rules, any user can email or share files containing sensitive data (SSNs, credit card numbers, financial records) to any external address without warning or blocking.

  • Admin Console > Security > Data Protection > Manage Rules
  • Create rules for common sensitive data types: credit card numbers, Social Security numbers, bank account numbers
  • Set rules to "Warn" initially (to avoid disrupting legitimate workflows), then escalate to "Block" after a 30-day observation period
  • Apply rules to Gmail, Drive sharing, and Chat

Why it matters: Even without malicious intent, accidental data exposure is the most common source of compliance violations for SMEs.

4. Tighten External Sharing in Google Drive

The gap: The default sharing settings often allow users to share files with "anyone with the link," which creates publicly accessible documents that are indexed by search engines.

  • Admin Console > Apps > Google Workspace > Drive and Docs > Sharing Settings
  • Set external sharing to "Allowlisted domains" or at minimum "Only for users in your organization" as the default
  • Disable "Anyone with the link" sharing for files outside your organization
  • Enable a warning when users share files externally

5. Enable Audit Logging and Alerts

The gap: Google Workspace generates detailed audit logs, but most organizations never look at them. You should be alerted when suspicious activity occurs, not discover it weeks later.

  • Admin Console > Reporting > Audit and Investigation
  • Set up alerts for: Admin role changes, suspicious login activity, mass file downloads, DLP rule violations, and failed login spikes
  • Route critical alerts to a shared security inbox or Slack channel, not just the admin's personal email
  • Review login audit logs monthly for patterns (logins from unexpected countries, unusual hours, multiple failed attempts)

6. Enforce Password Policies

The gap: Google Workspace allows you to set minimum password length and strength requirements, but many organizations leave the defaults in place (8 characters, no complexity requirement).

  • Admin Console > Security > Password Management
  • Set minimum length to 12 characters
  • Enable password strength enforcement
  • Require password change every 180 days for standard users, 90 days for admins
  • Block the use of previously compromised passwords (available in Business Standard and above)

7. Review Admin Roles and Privileges

The gap: Over time, admin privileges accumulate. The person who set up Workspace two years ago still has Super Admin access even though they're now in a different role. Multiple people have admin access "just in case."

  • Audit all accounts with admin privileges quarterly
  • Apply the principle of least privilege: most people need User Management Admin or Help Desk Admin, not Super Admin
  • Maintain exactly two Super Admin accounts: one primary, one break-glass (stored securely, not used for daily work)
  • Remove admin access from anyone who doesn't actively need it

Run This Checklist Today

None of these changes require an expensive security product or a dedicated security team. They require 2-4 hours of admin console time and a commitment to reviewing them quarterly.

If you run through this list and find three or more gaps, your Workspace environment is typical. If you want help prioritizing and implementing these changes, we do this regularly for our managed clients and can assess your environment in a single session.

Want to talk about your IT?

We start every engagement with a free assessment. No pitch, just an honest look at your environment.

Get Your Free IT Scorecard