Resources
Google Workspace Security Checklist for Small Businesses
Google Workspace defaults favor easy setup over protection. These are the settings worth checking first.
Updated June 2026 · 7 min read
Google Workspace is a capable and secure platform, but out of the box it is tuned for quick onboarding rather than strong protection. For a business with 10 to 75 employees, most risk comes from a few admin and sharing settings that were never changed. Use this checklist to find the gaps.
Admin and identity
- Enforce 2-Step Verification for every user. Prefer security keys or the Google prompt over SMS codes.
- Limit super administrators to as few people as possible, and give each a separate admin account.
- Review admin roles so staff only have the privileges they need.
- Turn off access for less secure apps and review third-party OAuth apps that can reach your data.
Gmail and email security
- Publish SPF, DKIM, and DMARC for your domain to reduce spoofing. Our DMARC and email security work covers this.
- Turn on enhanced pre-delivery message scanning and the spoofing and authentication protections in Gmail safety settings.
- Disable automatic external forwarding, a common path for quiet data theft.
- Add external recipient warnings so staff can spot impersonation.
Drive and sharing
- Review external sharing for Drive and Shared Drives. Default sharing is often broader than owners expect.
- Set link-sharing defaults to restricted rather than anyone with the link.
- Use Shared Drives for team content so files are not trapped in a single person's account.
- Know where sensitive files live and who can reach them.
Devices
- Turn on basic or advanced endpoint management so you can require screen locks and wipe access from lost devices.
- Where licensed, use context-aware access to control risky sign-ins.
Monitoring and backup
- Use the security and investigation tools to review sign-ins and alerts. Check the alert center regularly.
- Add a third-party backup for Google Workspace. The platform is not a backup, and recovery is your responsibility.
- Test a restore on a schedule, not only when something breaks.
Where to start
If you only do three things, enforce 2-Step Verification for everyone, lock down super admin access, and add a tested backup. From there, a Tecnico Ready security review gives you a prioritized list specific to your tenant, and Google Workspace security services covers ongoing hardening. If you also run Microsoft 365, see our Microsoft 365 security checklist.
Key takeaways
- Google Workspace is not secure by default. The defaults favor easy setup.
- Enforced 2-Step Verification plus tight super admin control is the highest-impact change.
- Google Workspace is not a backup. Add one and test restores.
- External Drive sharing is usually broader than owners realize. Review it.
Google Workspace security questions
Is Google Workspace secure by default?
No. Google Workspace gives you strong security tools, but the default settings prioritize easy setup. Admin access, 2-Step Verification enforcement, Gmail authentication, and Drive sharing usually need to be tightened.
Does Google Workspace back up my data?
Not in the way most people expect. Google keeps the service running and offers limited retention, but recovering data after accidental deletion, a compromised account, or a departed employee is your responsibility. A separate backup is recommended.
What is the most important Google Workspace security setting?
Enforcing 2-Step Verification for every user, ideally with security keys or the prompt rather than codes alone, and tightly limiting who holds super administrator access.
Do I need Business Plus or Enterprise for good security?
Higher tiers add controls such as advanced endpoint management, context-aware access, and the security investigation tool. You can still improve security on lower tiers. The right plan depends on your size, risk, and budget, which a review helps decide.
See where your Google Workspace stands
Book a Security Fit Call and we will walk the settings that matter most for your tenant.