Google builds a lot of security into Workspace, but they cannot control how your team uses it. If a person uses a weak password or shares a confidential folder with a public link, the best infrastructure in the world won’t prevent a data leak.
Most security issues happen because of small, everyday oversights. You can fix these by adjusting specific settings in your Google Admin console. In this guide, we’ll explore the best practices for Google Workspace security, look at specific features and tools, and provide steps to improve the security of your environment.
1. Require 2-step verification for everyone
2. Limit the number of administrators
3. Disable automatic email forwarding
4. Manage how Gemini uses your data
5. Control third-party app permissions
6. Standardize your file sharing and storage
7. Turn on enhanced email scanning
8. Prove your emails are real (SPF, DKIM, and DMARC)
9. Manage devices and endpoints
10. Use the Alert Center
While some of these settings take only a few minutes to update, they are the most effective way to stop an accidental leak or a targeted attack.
If someone steals an employee’s password, they can get into your system from anywhere. 2-step verification stops this by requiring a second proof of identity.
In your settings, you should make this mandatory for everyone. However, text message codes are no longer considered safe for two main reasons:
The better way: Use a dedicated app like Google Authenticator or passkeys. These generate codes locally on the device or use biometrics (like a fingerprint). Because the “key” stays on the physical hardware and doesn’t enter the phone network, it cannot be intercepted or redirected.
An administrator can see every file and change any setting in your company. You should have at least two administrators so you aren’t locked out, but you should never have more than four.
In a professional setup, we follow the principle of least privilege. This means most of your team shouldn’t be Super Admins. Instead, you should give them limited roles, like a Help Desk Admin (who can only reset passwords) or a User Management Admin (who can only add or remove staff).
The better way: Every administrator should have a separate admin-only account (like admin.john@company.com) that is different from their daily email.
Many employees set up automatic forwarding so they can see work emails in a personal inbox. This means your company data is being stored in an account you do not own or manage.
You should change your Gmail settings to prevent users from forwarding emails to addresses outside of your organization.
The better way: Use a Collaborative Inbox (like sales@company.com) to let multiple people manage the same emails within your secure environment.
You need to make sure that your private company information is not being used to train public AI models.
Check your admin settings to define what data Gemini can access. There are two main reasons to manage this carefully:
Use a managed Gemini for Google Workspace license. Your data won’t be used to train models for other users and will stay within your secure company environment.
Read more about why Shadow AI is so risky for your business in this article.
Small apps or browser extensions that ask to “read and send” emails are a big security risk.
Check the “App Access Control” section of your console. If you see apps that haven’t been used in three months, remove them. You can also change settings so users must ask for your approval before connecting any new apps.
The better way: Set up an allow-list of approved apps, so your team only uses tools that have been vetted for security, rather than connecting every free app they find online.
Sharing documents using anyone with the link makes your files public to anyone on the internet who finds that URL.
You should change your default sharing setting to private and disable the ability for users to create public links entirely. Additionally, you should move all company projects into Shared Drives. In a Shared Drive, the organization owns the files rather than the individual, which prevents data from being lost when an individual leaves the company.
Google has a setting called “Enhanced Pre-delivery Scanning,” which checks every incoming email and attachment in a safe, isolated environment before they reach the inbox. This is the best way to catch “zero-day” threats (new malware that hasn’t been identified yet).
The risk: If the settings are too strict, you might accidentally block legitimate emails from your customers.
If you don’t set up these three records, it is easy for others to send fake emails that look like they are from your address.
The risk: This is one of the most common areas where we find errors. If these records are set up incorrectly, your own emails may be marked as spam or blocked entirely by your clients.
More on SPF, DKIM, and DMARC in this article.
If an employee loses a phone, your data is at risk. Enable Endpoint Management to require a screen lock on any device that connects to work email. This also allows you to remotely delete company data if a device is stolen.
How we help: We help you set up rules that only protect company files, leaving the employee’s personal photos and information untouched.
You can tell Google to email you the moment it detects suspicious activity, such as a login from an unusual country or a sudden large number of files being deleted.
The risk: Most companies have alerts turned on, but nobody is actually checking them. We help you filter these, so you only see the threats that matter.
Why work with a Google partner
Setting up these 10 steps is a technical project that needs regular attention. As a Google Cloud partner, Revolgy has the experience to manage these settings for you. We hold the Google Cloud Security Specialization, which is an official recognition of our work in keeping company data safe.
Security settings work best when they are checked and updated regularly. Our Managed Google Workspace service gives you an expert team to look after your environment, from the first security audit to every new policy change.
Our team takes care of the technical setup, adding new users, and monitoring for threats so your platform stays up to date with Google’s security standards. This gives you a protected environment without you having to navigate the background settings yourself.
To learn more about how we manage Google Workspace or to request a security audit, contact us today.
Read next: Your essential guide to Google Workspace security