Google Workspace Security Features: What to Turn On First (2025)

Why it matters

If you've been following the cybersecurity news lately, you'll have heard about a breach that exposed business contact data for a set of Gmail users. While the breach originated from a Salesforce database and didn't directly compromise Gmail accounts, it fueled a surge of phishing attacks, with phishing and "vishing" (voice phishing) now accounting for 37 percent of successful account takeovers across Google platforms.

This incident (among others) underscores why a comprehensive security checklist for Google Workspace isn't just recommended—it's absolutely essential in 2025.

The current state of Google Workspace security threats

The security landscape for Google Workspace continues to evolve rapidly. The main Google Workspace security risks include phishing, ransomware, malicious third-party apps, insider threats, human errors, and brute-force attacks, with phishing responsible for financially devastating data breaches for 9/10 organizations in 2024.

In 2024, 83% of organizations reported insider attacks, up from 60% in 2023, highlighting that threats aren't just external. Meanwhile, Gartner estimates 80%+ of enterprises experienced at least one cloud misconfiguration event in 2023.

What's particularly concerning is that human error, misconfigurations, and unchecked external file sharing remain prime risks for data breaches, despite Google Workspace's robust built-in security features.

1. Multi-Factor authentication (MFA) - your first line of defense

This one's non-negotiable. According to the US Cybersecurity and Infrastructure Security Agency (CISA), accounts with MFA enabled are 99% less likely to be hacked.

What you need to do:

• Enforce MFA for every account, especially admin accounts, with no exceptions. Go to Security > Authentication > 2-Step Verification in the Admin Console and enable enforcement
• Configure allowed second-step methods to exclude weaker factors like SMS and voice codes. The recommended setting is "Any except verification codes via text or phone call," or require security keys for your most sensitive accounts
• Enroll high-privilege accounts (super administrators, C-level executives) in Google's Advanced Protection Program (APP), which is specifically built to guard against targeted attacks, phishing, and account hijacking

2. Advanced threat protection features

Google's built-in AI defenses are impressive—they block more than 99.9% of spam, phishing, and malware in Gmail. But you need to make sure these features are properly configured:

Enable these in Gmail's Safety settings:

• Advanced threat protection features, including spoofing protection, attachment scanning, and AI-powered phishing detection
• Enhanced Pre-Delivery Scanning for more thorough message screening and Attachment and Link Protection that scans attachments for malware and checks links against known malicious sites
• Security Sandbox, which executes attachments in a secure virtual environment to detect zero-day threats

3. Data loss prevention (DLP) policies

DLP policies in Gmail and Drive help prevent accidental or malicious sharing of sensitive data such as PII, financial information, or confidential documents.

Configure DLP rules to:

• Create rules that prevent sensitive data from being shared externally and monitor document and email flows containing regulated data types
• Set policies like "If file contains credit card numbers and is shared externally, block the share and notify admin"
• Automatically scan files and communications for sensitive information like credit card numbers, Social Security numbers, or proprietary project names, with rules configured to block external sharing

4. Context-Aware access controls

Admins can set granular access policies based on user identity, device status, IP address, and time of request, supporting a Zero Trust security model.

This means you can:

• Restrict access based on location
• Require specific device security settings
• Set time-based access restrictions
• Control access based on network security posture

5. Drive sharing and link controls

Drive misconfigurations are among the most common causes of data breaches. A single file accidentally set to "Public on the web" can expose sensitive information to anyone with the link

Critical settings to configure:

• Set default sharing for new files to "Private" and limit external sharing by disabling the ability for users to share with personal email addresses or make files publicly available
• Restrict external sharing or allow only trusted domains, and disable "Anyone with the link" unless absolutely necessary
• Monitor for public links using Drive audit logs and set external membership restrictions on a per-drive basis

6. Security center and monitoring

Set up alerts for high-risk actions like password resets, data downloads, or suspicious logins, and use the Security Center dashboard to monitor overall risk posture.

Regular monitoring should include:

• Audit logs for unusual activity patterns
• Third-party app permissions and OAuth tokens
• External sharing activity
• Failed login attempts and geographic anomalies

7. Device management and mobile security

Enforce policies like screen locks, OS version checks, device encryption, and block unverified devices from accessing Workspace.

This is particularly important given that 60% of endpoints in the average organization are mobile devices, and 70 million smartphones get lost each year with only 7% recovered.

Email authentication protocols

To prevent attackers from spoofing your domain and tricking employees, customers, and partners, implement standard email authentication protocols This includes:

• SPF (Sender Policy Framework) records
• DKIM (DomainKeys Identified Mail) signing
• DMARC (Domain-based Message Authentication) policies

Third-Party app management

Third-party apps introduce new security concerns, and malicious apps may contain malware or be used for account security breaches. Regularly audit:

• OAuth permissions granted to third-party applications
• App access to sensitive data
• Unused or suspicious applications

Advanced protection program for high-risk users

Google's Advanced Protection Program provides the strongest account security for people most at risk of phishing, hacking and targeted digital attacks. It requires passkeys or security keys to verify identity, ensuring unauthorized users can't sign in even if they know usernames and passwords.

Why native security isn't always enough

While Google Workspace offers robust built-in security, there are limitations. Gmail's security filters rely heavily on known threat signatures and behavior patterns, meaning zero-day attacks or novel phishing campaigns may slip through before detection models are updated

Gmail's filters don't fully understand the context of your business, team structure, or workflows, so they can't always flag context-specific threats like an attacker impersonating a vendor with a slightly altered invoice

This is where specialized security platforms like Material Security can add significant value. Material Security integrates directly with Google via API, helping to streamline and operationalize Google account security strategies while providing detection and response capabilities that speed and automate the remediation process when risk or misconfiguration is detected

Material is the only platform with holistic functionality to secure Google Workspace before, during, and after an incident, bringing together the latest AI/ML techniques and proactive threat research to identify and remediate advanced attacks such as BEC, impersonation and spear phishing

Your 2025 Google Workspace security checklist

Here's your actionable checklist to secure Google Workspace in 2025:

Identity & Access Management:

• Enable MFA for all users (no exceptions)
• Enroll high-privilege accounts in Advanced Protection Program
• Configure strong MFA methods (exclude SMS/voice)
• Set up context-aware access controls
• Regular password policy enforcement

Email Security:

• Enable advanced phishing protection
• Configure attachment and link scanning
• Set up Security Sandbox
• Implement email authentication (SPF, DKIM, DMARC)
• Configure appropriate spam and malware settings

Data Protection:

• Create comprehensive DLP policies
• Restrict default Drive sharing to "Private"
• Disable "Anyone with link" sharing
• Regular audit of external sharing permissions
• Monitor for publicly shared documents

Device & Endpoint Management:

• Enforce device encryption and screen locks
• Block unverified devices
• Set minimum OS version requirements
• Mobile device management policies

Monitoring & Response:

• Configure Security Center alerts
• Set up suspicious activity monitoring
• Regular third-party app audits
• Implement security awareness training
• Establish incident response procedures

Moving forward with confidence

Google Workspace security in 2025 requires a layered approach that goes beyond default settings. While Google provides a strong set of native security tools, relying on default settings is not enough. To truly secure Google Workspace from phishing, you need a multi-layered strategy that combines robust configuration, proactive monitoring, and an empowered, security-conscious team

The recent security incidents serve as stark reminders that threats are evolving faster than ever. But with the right configuration, monitoring, and additional security tools when needed, you can create a robust defense that protects your organization without hindering productivity.

Remember: security isn't a one-time setup—it's an ongoing process that requires regular review, updates, and adaptation to new threats. Start with this checklist, but make security review a regular part of your operational rhythm.

For organizations looking for comprehensive Google Workspace security that goes beyond native capabilities, platforms like Material Security offer the advanced detection, response, and remediation capabilities needed to stay ahead of today's sophisticated threats.

‍