• Enable 2-Step Verification (MFA) for all accounts.
  
• Use Admin Console → Security → Less Secure App Access = OFF.
  
• Enforce strong password policies and consider Passkey sign-in for admins.
  
• Assign roles properly – Admin rights only for IT or management.
  
• Disable or suspend unused accounts immediately.
  

💡 Use Google Workspace Admin Reports to monitor suspicious logins or failed attempts.

• Require all company devices to sign in with Google accounts under device management.
  
• Enforce screen locks, encryption, and automatic OS updates.
  
• Apply Basic Mobile Management (included in all Workspace editions) to remotely wipe lost devices.
  
• Avoid public or shared computers for accessing Workspace.
  

💡 Business Standard and Business Plus plans offer advanced endpoint management — ideal for small teams.

• Audit Drive sharing settings:
  
  • Default sharing = “Restricted”
    
  • Disable “Anyone with the link” unless business-approved.
    
    
• Enable Data Loss Prevention (DLP) in Drive and Gmail to prevent sensitive info leaks.
  
• Use Google Vault for backup, archiving, and compliance.
  
• Regularly review files shared externally (via “Drive → Shared with me”).
  

💡 Keep customer and financial data in shared drives with limited editor rights.

• Enable Gmail’s advanced phishing & malware protection.
  
• Set up DMARC, DKIM, and SPF records for your domain.
  
• Disable automatic email forwarding rules from external senders.
  
• Train users to recognize phishing attempts — even the smartest filters can’t block human curiosity.
  

💡 Use Google’s “Security Sandbox” to detect zero-day attachments.

• Implement 3-2-1 Backup rule:
  
  • 3 copies of data
    
  • 2 different storage types
    
  • 1 offsite or third-party backup (e.g., SpinBackup, Acronis).
    
    
• Schedule monthly restore tests.
  

Keep key admin credentials in an offline, encrypted vault.

• Provide onboarding security awareness training for all employees.
  
• Share short internal tips about phishing, password hygiene, and sharing rules.
  

Encourage quick reporting of suspicious activity — better safe than sorry.