Chykalophia Docs
Google Workspace

Key security settings

The most important security settings to configure in your Google Workspace Admin console — protecting your organization's accounts, data, and email.

google-workspacesecurityintermediate

As a Google Workspace admin, you have access to powerful security controls that protect your entire organization. This guide covers the settings you should check and configure — ideally as soon as your Workspace is set up.

Quick summary

The most important security actions: enforce 2-step verification, set a strong password policy, review which third-party apps have access, turn on login alerts, and configure Gmail's spam and phishing protections. All of these live in the Admin console at admin.google.com → Security.

What you'll need

Admin access required
  • Admin access to admin.google.com
  • About 20–30 minutes to review and configure each section

1. Enforce 2-step verification

This is the single most impactful security measure. See Turning on 2-step verification for the full steps.

Where to find it: Admin console → Security → Authentication → 2-Step Verification.

What to do: Enable enforcement for all users. Allow a 1-week grace period for users to set it up.

2. Set a strong password policy

Go to Admin console → Security → Password management.

Set a minimum password length of at least 12 characters.

Enable "Enforce strong password." This requires a mix of letters, numbers, and symbols.

Turn on "Password reuse prevention" to stop users from reusing old passwords.

Click Save.

3. Review login and activity alerts

Set up alerts so you know when something unusual happens.

Where to find it: Admin console → Security → Alerts → Manage alert center.

Look for alerts related to:

  • Suspicious login activity — sign-ins from unusual locations or devices
  • User account suspended — if Google auto-suspends a compromised account
  • Password reset — when an admin resets any user's password

Make sure alert emails go to an address you regularly check.

4. Audit third-party app access

Apps connected to Google Workspace can read email, access Drive files, and more. Review what's connected.

Where to find it: Admin console → Security → API controls → App access control.

Review the list of connected apps. Look for anything you don't recognize.

Click on any suspicious app to see what permissions it has.

Revoke access to apps you don't need by clicking Block or Remove.

Unrecognized apps can mean a security breach

If you see an app that no one in your team installed or recognizes, it may have been authorized by a compromised account. Revoke its access and investigate.

5. Configure Gmail's advanced spam and phishing settings

Google already filters most spam, but these admin settings add extra layers:

Where to find it: Admin console → Apps → Google Workspace → Gmail → Spam, Phishing and Malware.

Key settings to review:

  • Enhanced pre-delivery message scanning — scans links in email more deeply before delivery. Turn this on.
  • Protect against domain spoofing — warn users when someone impersonates your domain. Turn this on.
  • Additional security protections — warnings on emails from suspicious senders. Turn these on.

6. Manage data sharing settings for Drive

Control who can share files outside your organization.

Where to find it: Admin console → Apps → Google Workspace → Drive and Docs → Sharing settings.

  • External sharing — choose whether users can share files with people outside your domain. "On for everyone" is the most open; you can restrict it if your organization handles sensitive data.
  • Warn when sharing outside the organization — turn this on. Users get a warning before sharing externally, preventing accidental leaks.

7. Review admin roles

Only people who genuinely need admin access should have it.

Where to find it: Admin console → Account → Admin roles.

  • Review who has the Super Admin role. Should have at least 2, but not everyone.
  • Consider using limited admin roles for people who only need to reset passwords or manage specific users.

8. Check your recovery information

Make sure your admin account has a recovery phone number and email address.

Where to find it: Admin console → Account → Account settings.

This lets you recover access if your main admin account is ever locked out.

Common questions

Need a hand?

If you're stuck, email support@chykalophia.com and we'll help. Include your website address and a screenshot if you can.

Learn more

Turning on 2-step verification

How to enable 2-step verification (2FA) for your Google Workspace account — the most important step you can take to protect your business email and files.

Recovering a deleted user or files

How to recover a deleted Google Workspace user account or restore files deleted from Google Drive — time limits and step-by-step instructions.

On this page

What you'll need1. Enforce 2-step verification2. Set a strong password policy3. Review login and activity alerts4. Audit third-party app access5. Configure Gmail's advanced spam and phishing settings6. Manage data sharing settings for Drive7. Review admin roles8. Check your recovery informationCommon questionsRelated guidesLearn more
Key security settings | Chykalophia Docs