Admin Insider: 10 tips to better secure your organization using G Suite

We believe in stringent privacy and security standards at Google and design our products with safety in mind based on industry best practices. For IT admins and end users, it’s important that security is simple and intuitive, so that they can stay in control of who sees their information.

In the spirit of Safer Internet Day, it’s a great time to refresh security practices within your organization. Here are 10 steps that IT Admins can take to be more secure within G Suite.

1. Have your users complete a Security Checkup. This will show you the apps that have access to your data at all times, and automatically provide you with personalized guidance to improve the security of their Google accounts. We believe it’s really important for you to understand the information that is shared with apps or sites so that we can help keep everyone in your organization safe.

2. Enforce 2-step verification. Two-step verification (2SV) is one of the best ways to prevent someone from accessing your account, even if they steal your password. In G Suite, admins have the ability to enforce 2-step verification. 2SV can reduce the risk of successful phishing attacks by asking employees for additional proof of identity when they sign in.  

3. Use Security Keys for 2SV. Working with FIDO Alliance standards, Google developed the Titan Security Key—a physical key used to access a Google Account without a traditional password. The key sends an encrypted signature and works only with the sites that it’s supposed to, helping to guard against phishing. G Suite admins can easily deploy, monitor, and manage the security keys at scale from within the Admin console–without installing additional software. At Google, we have had no reported or confirmed account takeovers due to password phishing since we began requiring security keys as a second factor for our employees.

4. Secure your mobile devices. More than 20 million devices are already managed with G Suite’s enterprise-grade mobile management solution (part of Cloud Identity). With new proactive security settings, basic device management is automatically enabled for your mobile devices that access G Suite. This means we help take care of it for you! Admins can get basic security controls over employee devices without the employees having to install profiles on iOS and Android devices. Once basic management is fully deployed, consider taking it a step further by setting up advanced mobile management.

5. Review how third-party apps access G Suite data. OAuth apps whitelisting helps keep company data safe by letting you specifically select which third-party apps are allowed to access users’ G Suite data. Once an app is part of a whitelist, users can choose to grant authorized access to their G Suite apps’ information. This helps  prevent malicious apps from tricking people into accidentally granting access to corporate data.

6. Enable advanced phishing and malware protections to better identify suspicious content. Gmail prevents more than 99.9 percent of spam, BEC threats, and phishing emails from ever reaching your inbox by integrating with technologies such as Safe Browsing. We're also applying machine learning (ML) to billions of threat indicators and evolving our models to quickly identify what could be a phishing attack in the making. Make sure these settings are turned on. Better luck next time, spammers.

7. Turn on unintended external reply warnings for Gmail. With this feature, when a user hits reply in Gmail, Google will scan the recipient list to determine its risk level (even addresses in CC). If a recipient is external to your organization, not present in your contacts, or someone you don’t interact with regularly, Gmail will display the warning. Unintended external reply warning is controlled from the Admin console control in the “Advanced Gmail” settings.

You can also turn on an unintended external reply warning in Hangouts, to show a warning when you’re chatting with people outside your domain. This prevents external users from seeing previous internal discussions and reduces the risk of data leaks. You can also limit chats to only users within your domain.

8. Limit who can see calendars externally by checking your Google Calendar settings. This blocks calendars from being shared outside of your domain. Calendar settings enable users to control who sees which activities, and at what level of detail, on their calendar. By restricting external calendar sharing to only show “free” or ”busy,” you can reduce the risk of data leaks.

9. Confine file sharing to whitelisted domains to reduce data leak and data exfiltration risks. You can restrict access to only those within your whitelist, or have a warning message appear when you try to share a file outside of your domain. This is a good way to check whether or not you intended to send a message.

10. Pay attention to the Google security health recommendations. If you’re an enterprise customer, you can take advantage of security health recommendations which analyze and give you custom advice to secure your users and data. These recommendations cover issues ranging from how your data is stored, to how your files are shared, as well as recommendations on mobility and communications settings. Check out this help article for even more best practices to keep in mind.

These steps can help you improve your organization’s security posture and become more resistant to attacks. To learn more about security in G Suite, download this eBook.