Google Workspace Security: 8 Settings Most Small Businesses Get Wrong

TL;DR:

• Most Google Workspace security failures come from default settings that should have been changed at setup
• Enforcing 2-Step Verification for all users and restricting external sharing are the two highest-impact fixes
• The Google Admin Console security health check shows exactly what’s misconfigured in your account

Google Workspace is the backbone of millions of small businesses — email, documents, calendars, video calls, all in one place. The default settings that Google ships are designed to be broadly compatible, not maximally secure. That means an account configured at setup and never revisited has likely accumulated several quiet security problems.

The good news: most of the highest-impact fixes are a single toggle in the Admin Console. Here are the eight settings worth checking today.

1. Enforce 2-Step Verification for All Users

Where to fix it: Admin Console → Security → Authentication → 2-Step Verification

The default setting allows 2-step verification (Google’s term for MFA) but doesn’t require it. Any user who hasn’t set it up voluntarily can be compromised with a stolen password alone.

Set it to Enforce 2-Step Verification for all users. You can set a grace period (7 days is reasonable) to give staff time to enroll before they’re locked out.

Additionally, consider restricting the allowed second factor methods. SMS text messages are better than nothing but vulnerable to SIM-swap attacks. Under the same settings section, you can restrict to Google Authenticator or hardware keys only and disable SMS. For most small businesses, Authenticator app only is the right balance.

2. Review External Sharing for Google Drive

Where to fix it: Admin Console → Apps → Google Workspace → Drive and Docs → Sharing settings

The default allows users to share files and folders with anyone, including “Anyone with the link” — which means any file shared this way is publicly accessible on the internet without any login.

Check and set:

• Sharing outside your organisation: decide whether external sharing is needed at all. Many businesses can set this to “No sharing outside domain” for most users
• Default link sharing: change “Anyone with the link” to “Restricted” as the default. Users can still choose to share externally, but they have to actively choose it rather than accidentally leave documents public
• Warning before sharing outside domain: enable this — it shows a confirmation prompt when a user tries to share externally

3. Enable Gmail’s Enhanced Phishing Protections

Where to fix it: Admin Console → Apps → Google Workspace → Gmail → Safety

Gmail’s enhanced phishing protections include:

• Protect against domain spoofing: enables DMARC-based checks
• Protect against spoofing of employee names: flags emails that spoof your employee names from external domains
• Protect against messages where the sender’s domain is young: flags email from very recently registered domains
• Protect against encrypted attachments from untrusted senders
• Show warning prompts when users click links in suspected phishing messages

All of these are off by default and most should be turned on. The quarantine and warning options give you control over whether suspicious messages are blocked, quarantined, or just flagged to the user.

4. Check Third-Party App Access

Where to fix it: Admin Console → Security → API controls → Manage Google Services

Over time, users connect third-party apps to Google Workspace — Slack, Notion, project management tools, marketing platforms — and grant them access to Gmail, Drive, or Calendar. Many of these grants are forgotten. Some apps were connected with far broader permissions than needed. Former employees may have connected personal apps that still have access.

Under Manage Third-Party App Access, you can:

• See all connected apps and what scopes they’ve been granted
• Revoke access for any app you don’t recognise or no longer use
• Set a policy requiring admin review before users can connect new apps (recommended for businesses where staff shouldn’t be connecting arbitrary apps to company data)

5. Audit Admin Roles

Where to fix it: Admin Console → Account → Admin roles

Who has Super Admin access in your Workspace? The answer is usually “more people than necessary.” Super Admin can do anything: reset passwords, access all data, change billing, delete users.

Audit the list and reduce it to the minimum. If you have Super Admin roles assigned to personal Gmail accounts (common for bootstrapped businesses where someone’s personal account was used to set up the org), consider creating a dedicated admin account and removing personal account access.

Enable Login activity alerts for admin accounts so you receive a notification whenever an admin account logs in from a new device or location.

6. Configure Security Keys for Admins

Where to fix it: Admin Console → Security → Authentication → Advanced protection for admins

For admin accounts specifically, consider enrolling in Google’s Advanced Protection Program, which:

• Restricts third-party app access to verified apps only
• Requires hardware security keys (Google Titan key or YubiKey)
• Enables additional Gmail safeguards against phishing

Standard MFA protects most accounts adequately, but admin accounts are high-value targets. The extra step of requiring a physical security key for admin logins is worth the small friction.

7. Enable Suspicious Activity Alerts

Where to fix it: Admin Console → Security → Alerts

Google can notify you when suspicious events occur in your account:

• User suspended for sending spam (your account has been compromised and used to send phishing)
• Login from suspicious IP address
• User granted admin role
• Data export from Drive
• Government-backed attack warning

Most of these are not on by default. Enable email alerts for the events that matter to you, and consider routing them to a shared IT or admin mailbox rather than a single person’s inbox.

8. Run the Security Health Check

Where to fix it: Admin Console → Security → Security health

Google provides a built-in security assessment that checks your Workspace configuration against their recommended settings. It shows green/yellow/red indicators for dozens of settings across authentication, sharing, Gmail, and more. It takes about 10 minutes to review and gives you a prioritised list of exactly what’s misconfigured in your specific account.

Run this first if you haven’t done a Workspace security review before. It’s a faster way to identify your specific gaps than working through all settings manually.

Most small businesses spend years on Google Workspace without ever revisiting these settings after initial setup. A 30-minute session in the Admin Console — starting with the security health check — is one of the most efficient security investments you can make. Unlike implementing new security tools, fixing these settings costs nothing and doesn’t require staff training.