The Google Workspace Security Checklist for Small Businesses

As a small business, you don't need the complexity of an enterprise security system. Here are some simple, essential and effective steps you can take to keep your business information secure. 

Protect your accounts

Use unique passwords everywhere!
A good password is the first line of defense to protect user and admin accounts. Unique passwords aren’t easily guessed. For example, think of a long sentence and use the first letter of each word as your password. Also discourage password reuse across different accounts, such as email and online banking.

Require admins and key users to give extra proof of who they are
If someone manages to steal your password, 2-step verification (2SV) can prevent them from accessing your account.  2SV requires users to verify their identity through something they know (such as a password) plus something they have (such as a physical key or access code) to gain access. We recommend that everyone in your business use 2SV, but it’s especially important for admins and users who work with sensitive data such as financial records and employee information. You should enforce 2SV for admins and key users.

Admins should add recovery information to their account
If your admin forgets their password, they can click the Need help? link on the sign-in page and Google will send a new password via phone, text, or email. To do that, Google needs a recovery phone number and email address for the account.

Get backup codes ahead of time
If your business enforces 2SV and a user or admin loses access to their 2SV method, they won’t be able to sign in to their account. Examples are a user who receives 2SV verification codes on their phone and loses their phone, or a user who loses their security key. In a case like this, they can use a backup code for 2SV. Admins and users with 2SV turned on should generate and print backup codes and keep them in a secure location.

Create an additional super admin account
A business should have more than one super administrator account, each managed by a separate person. If your primary super admin account is lost or compromised, the backup super admin can perform critical tasks while the primary account is recovered. You create another super admin by assigning the super admin role to another user.

Keep information on hand for super admin password reset
If a super admin can’t reset their password using email or phone recovery options, and another super admin isn’t available to reset the password, they can contact Google Support. To verify identity, Google asks questions about the organization’s account. The admin also needs to verify DNS ownership of the domain. You should keep account information and DNS credentials in a secure place in case they’re needed.

Super admins shouldn’t remain signed in to their account
Super admins can manage every aspect of your company’s account, and can access all business and employee data. Staying signed in to a super admin account when you aren’t performing specific administrative tasks can increase exposure to potential malicious activity. Super admins should sign in as needed to do specific tasks and then sign out.

Enable auto update for apps and Internet browsers
To get the latest security updates, make sure your users enable auto update for their apps and Internet browsers. If they use Chrome, you can configure auto-update for your entire organization.


Google Workspace Admin Setup for Gmail, Calendar, Drive, and Docs

Enable enhanced pre-delivery message scanning
Phishing is the malicious practice of sending email that attempts to trick users into revealing sensitive information, such as passwords, account numbers, or other personally identifiable information.

Google scans incoming messages to help protect against phishing. When Gmail identifies that an email may be a phishing attempt, it might display a warning or move the email to a spam folder. Enhanced pre-delivery message scanning enables Gmail to help catch email that previously might not be identified as phishing.

Enable additional Gmail safety checks
Google scans incoming messages to protect against malicious programs, such as computer viruses. Turn on additional safety checks for attachments, links, and external images to help catch email that previously might not be identified as malicious.

Make sure email recipients don’t mark your email as spam
Email spam is unsolicited bulk email messages. It’s generally used by unscrupulous advertisers because there are no operating costs beyond that of managing their mailing lists.

Sender Policy Framework (SPF) is an email security method to authorize legitimate email sent by users at your company. An SPF record identifies which mail servers are allowed to send email on behalf of your domain. If you don't set up SPF for your domain, some messages could bounce or could be marked as spam.


Restrict calendar sharing with people outside your company
User calendars can contain sensitive information. You should limit how your users share their calendars with external users. Restrict external calendar sharing to free/busy information only.

Limit who can see newly created files
You can specify who can see the files your users create. Make sure only the user who creates a file can open it until they explicitly share the file. Do this by turning Link Sharing off.

Warn users when they share a file with people outside your company
If you let users share files with external people, make sure they get a warning when they attempt to do this. The warning prompts them to confirm that they want to share the file with someone outside of your company.


Does your business have special security requirements?

Your business might have fewer than 10 people but have the information security requirements of a much larger company. For example, small investment and financial planning businesses, and any business that works with health information might have special regulatory, privacy, and security requirements. These companies might have dedicated IT admins who take care of these extra requirements.

Need help with your Migration or Remote IT service? Reach out to Apps Admins today for a free consultation and service quote. Our Cloud-Support and Services start at $399.00/monthly subscriptions.