Running your business on Google Workspace (formerly G Suite) gives you powerful tools like Gmail, Drive, Docs, and real-time collaboration that keep teams productive and connected. However, many small and midsize businesses don’t realize that the default, out-of-the-box settings aren’t always designed to meet the security needs of a professional business environment. Without proper configuration, gaps in Google Workspace Security can leave users, data, and communications exposed.
As a Google Workspace administrator, enabling the right security controls is essential to protecting your organization from account takeovers, data leaks, and unauthorized access. To help, we’ve compiled the top 10 admin settings for Google Workspace security configurations every SMB should enable. Best of all, most of these Google Workspace Security improvements can be implemented quickly! Often in a single admin session, making it easier to strengthen your defenses without disrupting daily operations.
The 10 Admin Settings for Google Workspace Security
1. Enforce 2-Step Verification (Multi-Factor Authentication) for All Users: This is number one out of the 10 Admin Settings for Google Workspace Security for a reason. Requiring a second factor, like a phone prompt or security key, for login dramatically reduces compromised accounts. CISA reports that accounts with MFA are 99% less likely to be hacked.
In the Admin Console, go to Security > Authentication > 2-Step Verification. Set it to “On for everyone” and require all users to enroll (you can give a grace period of a week or two for them to set it up, but not indefinite). Next, under 2SV settings, disable less secure MFA methods. For secure MFA methods we recommend allowing authenticator app or Google prompts, and disallowing SMS or voice codes which are less secure and more vulnerable (SIM swap attacks can hijack those). For those with high-risk accounts Google even offers the Advanced Protection Program (for free) which mandates security keys. We recommend enrolling key personnel in this.
MFA closes the door on the vast majority of hijacking attempts that use stolen passwords.
2. Limit External Sharing of Drive Files: Google Drive’s sharing is convenient but can lead to accidental data leaks if left wide open. By default, tighten your sharing settings. In Admin Console > Apps > Google Workspace > Drive and Docs > Sharing Settings: set default link sharing to “Restricted – Only people in your organization”. This means any new file link is internal unless someone deliberately changes it.
Next, disable “Anyone with the link” for sensitive content: for example, restrict it so that “anyone with link” can at most view, not edit, or turn it off entirely for certain departments.
Also, consider enabling Data Loss Prevention (DLP) rules if you have them available (depending on your edition) to flag if users share files containing sensitive info externally. Google’s tools can detect when, say, a file with 100 credit card numbers is shared outside and warn or block it. The goal: reduce the chance employees accidentally overshare.
A common misconfiguration is leaving company Drive folders accessible to anyone with a link – don’t let that happen. Tighten the defaults now, so only intentional shares go out, ideally to specific people.
3. Turn On Admin Alerts and Audit Logging: Google Workspace provides an Alert Center (Admin Console > Security > Alert Center). Configure it to email you for critical events: suspicious login detected, user exceeding data download thresholds, malware found, etc. Ensure Workspace audit logs are on (they usually are by default). These logs capture things like file access, settings changes, login attempts.
In a breach investigation, logs are invaluable. Under Reports > Audit and Investigation, you can even set up custom queries (e.g., alert if many files are deleted at once). One important alert to enable: when a new Super Admin is granted or when 2-Step Verification is disabled for an admin. These could indicate an attacker trying to elevate privileges. Google’s automated alerts are somewhat limited, but they cover common red flags.
4. Restrict Third-Party App Access (API Controls): Head to Security > Access and Data Control > API controls. Here you can review all third-party apps that have access to your Workspace data (via OAuth). You’d might be surprised by this one as employees might have connected all sorts of apps over time (project management, Chrome extensions, mobile apps).
Evaluate these and block any that are unneeded or risky. Specifically, check if any app has “Full access to Gmail” or “Read/write Drive data”. If it’s not something your business absolutely needs, remove or trust-block it. You can set the OAuth access policy to “Allow internal apps only” and then whitelist known good external apps. By doing so, if an employee accidentally tries a malicious app, it won’t get data access without admin approval.
Considering many breaches originate from a compromised third-party app integration, this is a big win for security.
5. Secure Your Google Groups Settings: If you use Google Groups for distribution lists or team forums, review their settings. Sometimes groups are created that allow public posting or membership, which is not ideal if not intended.
In Admin Console > Apps > Google Workspace > Groups for Business, you can set a default to make new groups private (only members can view topics, etc.). Also, go group by group (or script it via GAM) to ensure external people can’t join or post unless appropriate. An infamous example: some companies left an “All Hands” group open so anyone on the internet could email all employees – a spammer’s dream.
Close those gaps. Lock down who can post (often “members only” or even restrict to certain roles). Groups are powerful but need governance to avoid information leakage or abuse.
6. Enforce Password Policies and Login Security: Google by itself doesn’t force strong passwords unless you configure it. In Admin Console > Security > Password Management, set a minimum password length (at least 10 or 12 characters is good), and require a mix of characters.
Also consider checking the box for “Prevent re-use of past passwords” so users can’t cycle among the same few. Though MFA greatly lessens password risk, strong passwords still matter, especially for any non-MFA accounts (service accounts, etc.). Additionally, under Advanced Security Settings, consider enabling login challenge. Google can prompt users with secondary questions if it detects suspicious login (though if you have MFA everywhere, that’s less needed). And ensure Less Secure Apps access is disabled (should be off by default now; this stops basic auth which bypasses MFA similar to legacy auth on Microsoft’s side).
7. Enable Endpoint Management (Basic) for Devices: Google Workspace includes basic device management even in lower tiers. In Admin Console > Devices, you can enable Basic Mobile Management for mobile devices. This doesn’t require an app, but it can enforce that any phone using your email has a screen lock, and you can remotely wipe company data from it if lost. For computers, consider enrolling company-owned Chromebooks under your admin control and using Enhanced Desktop Security for Windows (if on certain plans) for company PCs. If this sounds too overkill for your company, we recommend at least instruct users on BYOD to keep devices updated and use antivirus.
Google’s endpoint management won’t replace dedicated MDM for all needs, but toggling on the basics (like requiring a work profile for Android, or not allowing unpatched devices) adds another layer of defense.
8. Review and Tighten App Access for Google Drive (OAuth scopes): This is worth separate mention: in your API Permissions (same area as #4), set Data Access to “Restricted” for any services you don’t explicitly use. For example, if you’re not using the Google Drive SDK externally, you can restrict that.
Essentially, if an app isn’t trusted by Google’s verification, it can’t access sensitive scopes unless you approve. Google’s “Trusted Apps” list in API controls is where you whitelist apps that can access things like Gmail or Drive data.
The principle: trust but verify. Only allow known third-party apps.
9. Utilize Google’s Advanced Security Features (if available): If you have Google Workspace Enterprise or certain addons, make use of things like Context-Aware Access (which allows Conditional Access-type policies: e.g., only allow login if device is encrypted or from certain IP ranges).
Also, Security Center (on Enterprise plans) gives a dashboard of threats and recommendations specific to your org. Review this periodically for insights. Many SMBs stick with Business Standard or Plus; note that Business Plus includes Vault (for retention) and enhanced security. If you handle sensitive data or heavy compliance, upgrading to get those features might be worthwhile. Vault, for example, ensures you can retain and e-discover emails/files even if deleted – a good protection against malicious deletion.
10. Leverage Alert Center and Investigate Tool: We mentioned alerts, but also know you have an Investigation Tool (in higher tiers) where you can search across logs and take bulk actions. For instance, if a user got phished, you can use Investigate to find all emails with the same malicious link across all mailboxes and delete them.
Even without that tool, familiarize yourself with the Admin Quarantine (where suspicious emails might land) and how to quickly reset passwords or revoke tokens in an incident. Speed is key in containing damage – Google provides the tools, but you should practice using them.
For example, simulate what you’d do if an account was compromised (answer: reset password, force logouts, check audit logs, remove any suspicious OAuth apps, etc.).
Overview
By enabling these settings, you’re closing common holes in Workspace security. Google Workspace offers enterprise-grade security, but only if you, the admin, configure it so.
Many SMB breaches or data leaks could have been prevented by simply turning on features that already exist in the platform. For instance, Google’s default link sharing settings are permissive for collaboration’s sake – it’s up to you to dial them down to fit your risk tolerance. Likewise, MFA enrollment might be allowed but not enforced by default – an admin decision can change that in minutes and save your company from the 99% of attacks that guess or steal passwords.
Don’t feel overwhelmed: tackle these 10 admin settings for Google Workspace security one by one. Even implementing just the first two of the 10 admin settings for Google Workspace security (MFA and sharing restrictions) will greatly boost your security posture. And remember, security is an ongoing process. Keep an eye on Google’s updates, as they often add new security features.
For additional help, consider an IT security audit or managed services. Many providers, like Cinch I.T., can manage Google Workspace security as part of their cybersecurity offering automatically applying these 10 admin settings for Google Workspace security to your business.
Conclusion
By taking a proactive stance in your settings by applying these 10 admin settings for Google Workspace security, you let your staff enjoy the productivity of Workspace without unknowingly putting data at risk. A few hours in the admin console now can prevent disasters such as a breached account sending thousands of spam, or a Drive file with customer data leaking publicly.
The bottom line: click those toggles! Your future self (and your whole team) will thank you for implementing these 10 admin settings for Google Workspace security.
____________________________________________________________________________
About the Author
Niko Zivanovich is a Cybersecurity Leader with experience in helping organizations understand and achieve a more complete security posture. He is a co-owner of Cinch IT of Denver and has been working at Pellera Technology Solutions for 6 years, most recently as the Director of Cyber Defense and Threat Intelligence. Niko specializes in CISO advising, netsec ops, incident response, pen testing, and threat intelligence research. He holds multiple certifications through the SANS GIAC organization and is a Board Director for the InfraGard Colorado and Wyoming Chapter.
Enjoyed the 10 Admin Settings for Google Workspace Security article? If so then head over to our Blogs for more top tech tips.
Or follow our LinkedIn page for weekly tech tips, industry insights, and practical cybersecurity guidance for SMBs.
____________________________________________________________________________
About Cinch I.T.
Founded on the belief that I.T. support should be easy, Cinch I.T. has grown into one of the nation’s fastest-growing managed service providers. Our franchise model blends centralized expertise with local ownership, giving clients the best of both worlds. Our team is committed to being more than just a service provider, we’re your dedicated partner in achieving operational efficiency and peace of mind. With our fast, friendly, and transparent approach, you’ll always know where you stand.
Discover how Cinch IT Denver can support your success through smarter, more secure technology solutions. Contact us today!
Cinch IT Denver not your nearest location? View our nationwide Cinch I.T. offices:
- Tempe, AZ
- Atlanta, GA
- Sandy Springs, GA
- Louisville, KY
- Framingham, MA
- Marlborough, MA
- Newton, MA
- Springfield, MA
- Woburn, MA
- Worcester, MA
- Waukesha, WI
- Moab, UT
- St. George, UT
- Logan, UT
_______________________________________________________________
Sources For 10 Admin Settings for Google Workspace Security Article
These 10 admin settings for Google Workspace security recommendations follow Google’s own security best practices for Workspace (Google’s support checklist for admins emphasizes 2SV, monitoring, and sharing controls – see support.google.com for “security checklist”).
The Hacker News recently highlighted key Workspace hardening tips, such as enforcing MFA and securing Drive link settings.
Industry analysis shows credential theft and misconfiguration are leading causes of cloud account breaches, which is why MFA and app control are so critical.
Additionally, a 2025 Nudge Security report identified the top five Workspace misconfigurations admins should fix, notably weak MFA enforcement and open sharing links. Our 10 admin settings for Google Workspace security guide above aligns with those expert findings to ensure you cover the bases that attackers commonly exploit.
