Google Workspace Security Checklist for Small Business (2026)

By Steve · Google Workspace Consultant · 11 min read

Most small businesses set up Google Workspace, add their team, and never touch the security settings. That leaves the door wide open — to phishing, data leaks, and account takeovers. This is the same 15-point checklist I run through with every new client. If you can check all 15, you're ahead of 90% of small businesses.

Authentication & Access

• 1
  Enforce 2-Step Verification for all users Go to Admin Console → Security → Authentication → 2-Step Verification. Set to "Enforced." This is the single most impactful security setting. Without it, a leaked password = full account access.
• 2
  Use security keys or passkeys for admin accounts SMS-based 2FA can be bypassed via SIM swapping. Admin accounts should use hardware security keys (YubiKey) or passkeys. At minimum, use Google Authenticator — never SMS.
• 3
  Limit Super Admin accounts to 2-3 people Every Super Admin is a high-value target. Most team members only need User Management or Groups Admin roles. Use the principle of least privilege — grant the minimum access needed.
• 4
  Set password policies Require minimum 12-character passwords. Enable "Do not allow password reuse." In 2026, length matters more than complexity rules — a 16-character passphrase beats "P@ssw0rd!" every time.
• 5
  Review third-party app access Go to Security → API Controls → Third-party app access. Review which apps have access to your organization's data. Block untrusted apps and restrict OAuth scopes.

Email Security

• 6
  Configure SPF, DKIM, and DMARC These three DNS records prevent email spoofing. Without them, anyone can send emails that look like they came from your domain. Read my full setup guide here.
• 7
  Enable enhanced pre-delivery message scanning Admin Console → Apps → Gmail → Safety. Turn on all enhanced scanning options. This catches phishing emails that slip past default filters.
• 8
  Configure email allowlists carefully Overly broad allowlists bypass spam and phishing filters. Only allowlist specific IPs or domains that you're certain are safe. Review existing allowlists quarterly.

Data Protection

• 9
  Restrict external file sharing Admin Console → Apps → Google Drive → Sharing settings. At minimum, require users to be signed in to access shared files. Disable "Anyone with the link" sharing for sensitive Shared Drives.
• 10
  Use Shared Drives instead of My Drive for company files Files in My Drive belong to the user. When they leave, those files are at risk. Shared Drives belong to the organization. See my Shared Drive setup guide.
• 11
  Enable Google Vault (if on Business Plus or Enterprise) Vault lets you set retention policies and place legal holds on email and Drive files. Critical for regulated industries, but useful for any business that might need to recover deleted data.

Device & Endpoint Management

• 12
  Enable mobile device management (MDM) Admin Console → Devices → Mobile & endpoints. Enable basic management at minimum. This lets you remotely wipe company data from a lost or stolen phone.
• 13
  Require screen lock on managed devices Under device management settings, require a screen lock with a minimum PIN length. This prevents someone from picking up an unlocked phone and accessing company email.

Monitoring & Response

• 14
  Set up admin email alerts Admin Console → Security → Alert Center. Enable alerts for suspicious login activity, government-backed attack warnings, and admin privilege changes. Route these to a monitored inbox.
• 15
  Review the security audit log monthly Admin Console → Reporting → Audit and investigation. Check for failed login attempts, unusual file sharing patterns, and third-party app authorizations. A 15-minute monthly review catches problems early.