Google Workspace Security Settings Every Startup Should Change
The Google Workspace admin security settings most startups never touch. Here's what to change and exactly where to find it.
Google Workspace is the default productivity suite for startups. You sign up, add your team, and start working. The problem is that the default settings are designed for convenience, not security. Most founders never open the admin console after initial setup.
That's a mistake. There are about a dozen settings that take 30 minutes to change and dramatically reduce your attack surface. Here's each one, where to find it, and why it matters.
1. Enforce 2-step verification for all users
This is the single most important setting. Without it, a compromised password gives an attacker full access to your employee's email, Drive, and every connected app.
Where: Admin console > Security > Authentication > 2-step verification.
What to change: Set enforcement to "On" and select "New user enrollment period" of one week. Choose "Any except verification codes via text, phone call" to block SMS-based verification. Authenticator apps and security keys are both fine.
Why: Google's own data shows that MFA blocks over 99% of automated attacks. SMS is excluded because it's vulnerable to SIM swapping. Authenticator apps (Google Authenticator, Authy, 1Password) are significantly more secure.
2. Disable less secure app access
Less secure apps are applications that access Google accounts using only a username and password, without OAuth. They're a relic from the early 2000s.
Where: Admin console > Security > Access and data control > Less secure apps.
What to change: Set to "Disable access to less secure apps for all users."
Why: Any application that authenticates with just a password is a security risk. Modern apps use OAuth, which provides token-based authentication without exposing the password. If an employee needs a legacy app that only supports password auth, that app needs to be replaced.
3. Set up DKIM, SPF, and DMARC
These three settings protect your email domain from being spoofed. Without them, anyone can send emails that look like they're from your domain.
SPF (Sender Policy Framework)
Where: Your DNS provider (not the Google Admin console).
What to add: A TXT record for your domain with the value v=spf1 include:_spf.google.com ~all. If you use other services that send email (Mailchimp, SendGrid, etc.), include their SPF records too.
DKIM (DomainKeys Identified Mail)
Where: Admin console > Apps > Google Workspace > Gmail > Authenticate email.
What to do: Click "Generate new record." Copy the CNAME or TXT record and add it to your DNS. Then click "Start authentication" in the admin console.
DMARC (Domain-based Message Authentication)
Where: Your DNS provider.
What to add: Start with a monitoring-only policy: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com. After a few weeks of monitoring, tighten to p=quarantine and eventually p=reject.
Why: Email spoofing is one of the most common attack vectors. With proper DKIM, SPF, and DMARC, mail servers can verify that emails from your domain are legitimate. Without them, an attacker can send phishing emails that appear to come from your CEO. This also affects email deliverability. Messages from domains without these records are more likely to land in spam.
4. Configure login challenges and alerts
Google can detect suspicious login activity (new device, unusual location, impossible travel) and challenge the user with additional verification.
Where: Admin console > Security > Authentication > Login challenges.
What to change: Make sure "Allow login challenges based on risks" is enabled. Under "Employee ID login challenge," configure it if you want to use employee IDs as an additional verification factor.
Also set up admin alerts: Admin console > Security > Alert center. Enable alerts for "Suspicious login activity," "Government-backed attack," and "User suspended due to suspicious activity."
Why: These alerts are your early warning system. A suspicious login from a country where you have no employees is worth investigating immediately. Without alerts enabled, you won't know until the damage is done.
5. Restrict external file sharing defaults
By default, Google Workspace lets users share files with anyone, including external email addresses. That's a data leak waiting to happen.
Where: Admin console > Apps > Google Workspace > Drive and Docs > Sharing settings.
What to change: Under "Sharing outside of your organization," select "Allowed, with a warning when sharing outside of your organization" at minimum. For stricter environments, choose "Only users in your organization."
For links, set the default to "Private to the owner" rather than "Anyone in your organization with the link." Employees can still share explicitly, but the default prevents accidental over-sharing.
Why: It's not that you never want to share externally. It's that the default should require a conscious decision rather than happening automatically.
6. Enable context-aware access (Business Plus and above)
Context-aware access lets you restrict access to Google Workspace apps based on device attributes, IP address, and geographic location. It's only available on Business Plus, Enterprise, and Education plans.
Where: Admin console > Security > Access and data control > Context-aware access.
What to configure: Create access levels based on your requirements. Common examples: require devices to be company-managed (MDM enrolled), require devices to be encrypted, block access from specific countries where you have no employees.
Why: This adds a layer of protection beyond username and password. Even with valid credentials, an attacker on an unmanaged device or from a blocked country can't access your data.
7. Set password requirements
Google's default password requirements are minimal. You should set a floor.
Where: Admin console > Security > Authentication > Password management.
What to change: Set minimum password length to at least 12 characters. Do not enforce complexity requirements (mixing uppercase, lowercase, numbers, symbols). Length matters far more than complexity. A 16-character passphrase is stronger than an 8-character complex password.
Enable "Enforce password policy at next sign-in" to apply the new requirement immediately. Set password expiration to "Never expires" or a long period (180+ days). Forcing frequent password changes leads to weaker passwords.
Why: NIST's current guidelines recommend long passwords without complexity requirements and without mandatory rotation. Google's defaults don't match these guidelines, so you need to set them manually.
8. Configure mobile device management
Google Workspace includes basic mobile device management. Even if you have a dedicated MDM tool like Kandji or Intune, you should configure Workspace's mobile settings as a baseline.
Where: Admin console > Devices > Mobile and endpoints > Settings > Universal settings.
What to change: Under "General," enable "Mobile management" and set it to "Advanced" (available on Business Plus and above). Require device passwords. Enable "Account wipe" to remotely remove company data from lost or stolen devices.
Under "Advanced settings," require encryption and block compromised devices (rooted/jailbroken).
Why: If employees access company email and Drive from their phones, those devices are part of your attack surface. Basic mobile management ensures a minimum security standard.
9. Review third-party app access
By default, users can grant third-party apps access to their Google data through OAuth. This means any Chrome extension, mobile app, or web tool can request access to a user's email, calendar, and Drive.
Where: Admin console > Security > API controls > Third-party app access.
What to change: Under "Settings," change "App access control" to "Don't allow users to access any third-party apps" and then explicitly whitelist the apps your company uses.
At minimum, review the list of apps that currently have access. You'll probably find apps you've never heard of with full Drive or Gmail access. Remove anything that isn't explicitly approved.
Why: Third-party app permissions are one of the most overlooked attack vectors. A malicious Chrome extension with Gmail read access can exfiltrate every email in an employee's inbox. Restricting OAuth access to approved apps prevents this.
10. Set up admin action alerting
Any changes to your admin console should be logged and reviewed. If someone adds a new admin, changes a security setting, or resets a password, you want to know about it.
Where: Admin console > Security > Alert center > Manage settings.
What to enable: Turn on alerts for: "Admin settings changed," "User added as admin," "Password reset by admin," and "Super admin password reset."
Also check: Admin console > Reporting > Audit and investigation > Admin log events. This shows a complete history of every admin action taken in your console.
Why: If an attacker compromises an admin account, the first thing they'll do is change settings to maintain access. Admin action alerts give you visibility into changes that could indicate a compromise.
Do this today
If you only have time for three things, do these:
- Enforce 2-step verification. This blocks the vast majority of attacks.
- Set up DKIM, SPF, and DMARC. This protects your domain from email spoofing.
- Review third-party app access. This closes a common attack vector most startups ignore.
The rest of the settings can be done over the next week. None of them take more than 5 minutes individually.
If you want someone to handle your entire Google Workspace security configuration (along with everything else IT-related), that's what I do for remote teams. Book a call and I'll audit your current setup for free.