When it comes to business email and productivity suites, Microsoft and Google dominate the market. So, what advice do you offer those that are using Google Workspace to ensure that they’re keeping their email secure?
Here’s a security checklist from Google, for smaller businesses with less than 100 users.
Unique passwords
A good password is the first line of defense to protect user and admin accounts. Unique passwords aren’t easily guessed. For example, think of a long sentence and use the first letter of each word as your password.
Also discourage password reuse across different accounts, such as email and online banking.
For additional advice, see this page from Google with advice to create a strong password and a more secure account.
Require admins and key users to give extra proof of who they are
If someone manages to steal your password, 2-step verification (2SV) can prevent them from accessing your account.
2SV requires users to verify their identity through something they know (such as a password) plus, something they have (such as a physical key or access code) to gain access.
We recommend that everyone in your business use 2SV, but it’s especially important for admins and users who work with sensitive data such as financial records and employee information.
You should enforce 2SV for admins and key users.
See this page for advice from Google about protecting your business with 2-step verification.
Admins should add recovery information to their account.
If your admin forgets their password, they can click the Need help? link on the sign-in page and Google will send a new password via phone, text, or email. To do that, Google needs a recovery phone number and email address for the account.
Here’s more info to add recovery options to you Admin account.
Get backup codes ahead of time
If your business enforces 2SV and a user or admin loses access to their 2SV method, they won’t be able to sign in to their account. Examples are a user who receives 2SV verification codes on their phone and loses their phone, or a user who loses their security key.
In a case like this, they can use a backup code for 2SV. Admins and users with 2SV turned on should generate and print backup codes and keep them in a secure location.
See this page to generate and print your backup codes
Create an additional super admin account.
A business should have more than one super administrator account, each managed by a separate person. If your primary super admin account is lost or compromised, the backup super admin can perform critical tasks while the primary account is recovered.
You create another super admin by assigning the super admin role to another user.
To assign Admin roles to a user, check out this page.
Keep information on hand for super admin password reset
If a super admin can’t reset their password using email or phone recovery options, and another super admin isn’t available to reset the password, they can contact Google Support.
To verify identity, Google asks questions about the organization’s account. The admin also needs to verify DNS ownership of the domain. You should keep account information and DNS credentials in a secure place in case they’re needed.
For security best practises for Admins, read more here.
Super admins shouldn’t remain signed in to their account.
Super admins can manage every aspect of your company’s account, and can access all business and employee data. Staying signed in to a super admin account when you aren’t performing specific administrative tasks can increase exposure to potential malicious activity. Super admins should sign in as needed to do specific tasks and then sign out. For daily administrative tasks, use an account with limited admin roles.
Enable auto update for apps and Internet browsers.
To get the latest security updates, make sure your users enable auto update for their apps and Internet browsers. If they use Chrome, you can configure auto-update for your entire organization.
For auto-update policies for Chrome, find out more here.
If the business is using Gmail, Calendar, Drive or Docs, Google offers further advice.
Turn on enhanced pre-delivery message scanning.
Phishing is the malicious practice of sending email that attempts to trick users into revealing sensitive information, such as passwords, account numbers, or other personally identifiable information.
Google scans incoming messages to help protect against phishing. When Gmail identifies that an email may be a phishing attempt, it might display a warning or move the email to a spam folder. Enhanced pre-delivery message scanning enables Gmail to help catch email that previously might not be identified as phishing.
To prevent phishing with pre-delivery message scanning, Google offers this advice.
Turn on additional malicious file and link screening for Gmail.
Google scans incoming messages to protect against malicious programs, such as computer viruses. Turn on additional safety checks for attachments, links, and external images to help catch email that previously might not be identified as malicious.
For advanced phishing and malware protection, click here.
Make sure email recipients don’t mark your email as spam
Email spam is unsolicited bulk email messages. It’s generally used by unscrupulous advertisers because there are no operating costs beyond that of managing their mailing lists.
Sender Policy Framework (SPF) is an email security method to authorize legitimate email sent by users at your company. An SPF record identifies which mail servers are allowed to send email on behalf of your domain.
If you don't set up SPF for your domain, some messages could bounce or could be marked as spam.
Authorise email senders with SPF.
Restrict calendar sharing with people outside your company
User calendars can contain sensitive information. You should limit how your users share their calendars with external users. Restrict external calendar sharing to free/busy information only.
See here to set calendar visibility and sharing options.
Limit who can see newly created files
You can specify who can see the files your users create. Make sure only the user who creates a file can open it until they explicitly share the file. Do this by turning Link Sharing off.
Set the default for link sharing.
Warn users when they share a file with people outside your company
If you let users share files with external people, make sure they get a warning when they attempt to do this. The warning prompts them to confirm that they want to share the file with someone outside of your company.
Don’t let users share with outside parties.
Medium and larger businesses with more than 100 users can find additional advice from Google here.
Keeping Businesses Safe and Secure
Prevention is always better than a cure, and one of the best defences is to encourage businesses to proactively boost their company’s cyber resilience levels to avoid threats landing in inboxes in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for businesses to fortify.
No one vendor can stop all email threats, so it’s crucial to remind customers that if they are using Google Workspace or Microsoft 365, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a third-party cloud email security specialist like MailGuard.
MailGuard provides a range of solutions to keep businesses safe, from email filtering to email continuity and archiving solutions. Speak to your customers today to ensure they’re prepared, and get in touch with our team to discuss strengthening your customer’s Google Workspace and Microsoft 365 security.
Talk to us
MailGuard's partner blog is a forum to share information; we want it to be a dialogue. Reach out to us and tell us what your customers need so we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.
Australian partners, please call us on 1300 30 65 10
US partners call 1888 848 2822
UK partners call 0 800 404 8993
We’re on Facebook, Twitter and LinkedIn.
