Let’s be honest: moving your business to the cloud is one of the best moves you can make for productivity. Google Workspace is a powerhouse for collaboration, but just because Google handles the “heavy lifting” of data centre security doesn’t mean your specific setup is bulletproof.
In fact, most security breaches in the cloud aren’t caused by a failure of the platform itself: they’re caused by simple configuration mistakes. For many businesses, it’s a case of “set and forget.” You set up your email, create a few docs, and get back to work.
But as a Google Cloud Partner who has been helping companies migrate since 2008, we’ve seen where things usually go wrong. Here are the seven most common Google Workspace security mistakes we see in the wild and, more importantly, how you can fix them before they become a problem.
1. Making Multi-Factor Authentication (MFA) “Optional”
This is the single biggest security gap in any business. If your staff can log in with just a password, your business is at risk. Phishing attacks are more sophisticated than ever, and a stolen password is all an attacker needs to access your entire company drive, email history, and customer data.
The Mistake: Allowing users to opt-out of 2-Step Verification (2SV) or relying on SMS-based codes which can be intercepted.
The Fix:
- Enforce 2SV for everyone: Don’t just recommend it; enforce it in the Admin console.
- Move away from SMS: Encourage the use of the Google Prompt or physical security keys for high-level accounts.
- Check our Security Checkup: If you’re not sure where to start, our Google Workspace Health and Security Checkup can audit your current settings.
2. Using “Anyone with the Link” as a Default
We’ve all done it. You’re in a rush to share a document, so you click “Anyone with the link can view.” It’s easy, it’s fast, and it’s also a massive data leak waiting to happen. If that link is accidentally shared or indexed, your sensitive internal data is effectively public.
The Mistake: Leaving your organization-wide Drive settings to allow “Anyone with the link” sharing by default.
The Fix:
- Change the Default: Set your organization’s default sharing to “Restricted” or “Internal Only.”
- Use Shared Drives: Move critical business data into Shared Drives. This gives you centralized control over who can see what, rather than relying on individual “My Drive” settings.
- Audit Regularly: Periodically check for files that are shared externally.
3. Having Too Many “Super Admins”
In many small businesses, it’s common for the owner, the office manager, and the outside IT guy to all have Super Admin privileges. While it’s convenient, it’s a major security risk. A Super Admin has the “keys to the kingdom”: they can reset any password, delete any file, and even shut down the entire account.
The Mistake: Using your daily email account as a Super Admin account or having more than two or three Super Admins.
The Fix:
- The Rule of Least Privilege: Only give people the access they need to do their jobs. Use “Delegated Roles” (like Help Desk or Groups Admin) instead of full Super Admin rights.
- Dedicated Admin Accounts: Administrators should have a separate, named account for admin tasks (e.g.,
admin.mathew@company.com.au) that isn’t used for daily emails or browsing. - Lock them down: Ensure every admin account is protected by a physical security key.
4. Skipping Email Authentication (SPF, DKIM, and DMARC)
Have you ever received an email from yourself that you didn’t send? That’s spoofing. If you haven’t properly configured your email authentication, attackers can send emails that look like they’re coming from your business domain, damaging your reputation and tricking your customers.
The Mistake: Neglecting the “technical trio” of SPF, DKIM, and DMARC settings in your DNS.
The Fix:
- SPF (Sender Policy Framework): Tells the world which servers are allowed to send mail on your behalf.
- DKIM (DomainKeys Identified Mail): Adds a digital signature to your emails.
- DMARC: Gives instructions on what to do if an email fails SPF or DKIM.
Setting these up can be tricky, which is why proactive technical support is vital to ensure your mail actually lands in the inbox and not the spam folder.
5. Ignoring Third-Party App Permissions (OAuth)
Your team likely uses a variety of third-party tools that “Sign in with Google.” While these are great for productivity, they often ask for permission to “See, edit, create, and delete all your Google Drive files.” Once a user clicks “Allow,” that third-party app has a direct door into your data.
The Mistake: Letting users authorize any third-party app without admin review.
The Fix:
- App Access Control: In your Admin console, review which apps have access to your data.
- Restrict by Default: Change settings so that only “Trusted” apps can access your Workspace data.
- Review Quarterly: Make it a habit to check the list of authorized apps and revoke access for anything that isn’t absolutely necessary.
6. The “Sloppy” Offboarding Process
When a staff member leaves the business, their access should be revoked immediately. We often see accounts left active for months because “we didn’t want to lose their emails.” This is a security nightmare. An unmonitored account is a prime target for hackers.
The Mistake: Not having a documented “Joiners and Leavers” process for IT.
The Fix:
- Immediate Suspension: Suspend the account the moment the employee leaves.
- Data Migration: Use tools (like Patronum or Google’s built-in tools) to transfer their Drive files and emails to a manager or a Shared Drive.
- Wipe Mobile Devices: If they used their personal phone for work, use Google’s mobile management to wipe only the business data from the device.
7. Assuming “Google is a Backup”
Google Workspace is highly redundant, meaning your data is stored in multiple places so it won’t be lost if a server fails. However, redundancy is not the same as backup. If a user (or a malicious actor) deletes a folder and empties the trash, that data is gone.
The Mistake: Not having a third-party, independent backup of your Gmail and Drive data.
The Fix:
- Implement Cloud-to-Cloud Backup: Use a dedicated service like Afi.ai to create daily backups of your entire Workspace.
- Test Your Restores: A backup is only good if you can actually get the data back. Test your restoration process twice a year to ensure your disaster recovery planning is solid.
How to Get Your Security Under Control
Security doesn’t have to be overwhelming. Most of these fixes are one-time configurations that drastically reduce your risk profile. As a specialist Google Cloud Partner, we’ve helped hundreds of businesses streamline their operations while locking down their digital assets.
Whether you need tailored training for your staff to spot phishing or a full managed IT audit, we’re here to help you collaborate smarter and safer.
About Mathew Hoffman
Mathew Hoffman is the owner of Cloud Computer Company and has been a fixture in the IT industry since 1981. Before launching his consultancy for small to medium businesses in 2001, Mathew held senior IT roles at the State Bank of NSW, Minet Australia, Wilhelmsen Lines, and Rothmans of Pall Mall. A highlight of his career was his involvement in the technology rollout for the Sydney 2000 Olympics.
Mathew was one of the original Google Partners in 2008 and re-branded the business to Cloud Computer Company in 2017 to better reflect our end-to-end cloud expertise. Now based in Noosa, Mathew is an avid cricket fan who has played and coached in both Sydney and on the Sunshine Coast. When he’s not helping businesses modernise their tech, you’ll find him spending time with his family, at the beach, or on the golf course.
