Skip to main content

5 Steps to Secure Gmail

How to protect email in Gmail

People love the simplicity and ease of use that Gmail — and, more broadly, Google Workspace — provide. Gmail is the world’s most popular email platform, with over 1.8 billion users worldwide and encompassing 18% of email client market share. A staggering amount of information is sent via Gmail every second, so it’s essential that all that data is properly secured.

While Google offers great security and privacy controls, there are still some steps you should take to ensure that your private data doesn’t fall into the wrong hands, whether in use, in transit, or at rest. Here are five steps you can take to improve Gmail security, starting today:

1. Complete the Gmail security checklist.

For starters, Google provides an easy checklist of steps you should take to secure Gmail. Some of the more interesting steps take advantage of features that most users don’t know about, such as the ability to see the IP addresses (and locations) last used to access your account, so if an unauthorized user is snooping around your inbox, you can see when and where.  

Others, however, focus more on preventing your system (or device) from being compromised. The Gmail security checklist urges users to adopt best security practices, such as making sure your operating system and apps are up to date.

2. Choose safe email passwords.

By now, it’s common knowledge that you need to create strong passwords and update them regularly, but it’s worth repeating some key ground rules.  It’s not enough to just use a few numbers or characters, or to make something really long — you’ve got to get creative.

One of the best ways to ensure you’re using complex passwords is to use a password manager, which can also help you ensure you’re not reusing passwords across multiple websites. For every password you reuse, you’re amplifying your risk substantially. 

It’s also worth noting that you should differentiate your work passwords, and never reuse them for your personal accounts. Website hacks and data breaches happen all the time, exposing users’ credentials and passwords. It takes just one compromised employee password to wreak havoc on an organization’s data, potentially jeopardizing a wealth of your colleagues’ and customers’ private information.   

Google recommends a password that’s at least 12 characters long and doesn’t contain any personal information or obvious phrases or keyboard patterns.

3. Turn on 2-Step Verification.

While a strong password is important, it should never be the only line of defense for securing your Gmail account. When you enable 2-Step Verification, anyone attempting to log in to your account will need the unique code sent to your phone, in addition to your password to gain access to your account. 

This step is a form of multi-factor authentication, which has become critically important as cyber attacks continue to escalate. In fact, the Cybersecurity and Infrastructure Security Agency (CISA) has labeled single-factor authentication as a “bad practice” to avoid. 

2-Step Verification requires would-be hackers to not only know your password but also to have physical control over your computer or mobile device to retrieve the unique code and ultimately gain access to your account. Although it doesn’t protect your email content directly, it does help secure Gmail from unauthorized logins — a huge bonus for protecting the contents of your emails.

4. Recognize and avoid phishing attempts.

According to KnowBe4, more than 90% of successful hacks and data breaches start from phishing scams. Phishing is the practice of sending fraudulent emails to individuals in a ploy to get them to send sensitive information to hackers. 

Phishing emails used to be a little easier to notice, with misspelled words, sketchy-looking domain names, and grammatical errors. Unfortunately, social engineering has made phishing attacks look far more realistic.   

Don’t want to fall prey to a phishing attack? Whenever you are sent an email that requests your information, don’t click any links in the email itself. Instead, navigate to that company’s website and directly log in to your account there. 

KnowBe4’s Data Driven Defense Evangelist, Roger Grimes, notes that social engineering and phishing tactics are becoming increasingly sophisticated. “Years ago, when you got a phishing email, it would have all kinds of typos in it, and it would be from some weird-looking email address,” Grimes said. “You’re like, ‘There’s no way this is my boss,’ or, ‘There’s no way this is Microsoft.’ But, these days, they’re a lot more sophisticated. They’re more and more often actually targeting particular industries.” Phishing attacks are starting to use industry-specific terms, jargon, and client scenarios to foster a false sense of trust. As they learn, hacking groups can make these emails look increasingly realistic.  

“Now, we’re seeing these highly targeted things that are appearing to be from people’s bosses—and that boss is referring to a project the individual is on. So they’ll say, ‘Hey, you know that project you’re working on with Cindy in HR?’ I’ve had people email me asking, ‘How did they know the name of the person who approves checks? That person’s name is not known outside the company, it’s not on any public documents. How did they learn that Cindy is the one who approves wire transfers?’ And sometimes they find out, that person’s name was mentioned in a public document, or the hacker has compromised a partner that dealt with Cindy.”

It’s also a good idea to beware of red flags. Finally, if you ever feel the slightest suspicion about the nature of an email, simply contact the person or organization that claims to have sent it (preferably in person, or by phone) and ask for yourself.

5. Layer encryption for ultimate security.

While complicated passwords and multi-step authentication are important, encryption is the cornerstone of any secure Gmail inbox. In simple terms, encryption conceals data so that it can’t be accessed without the right encryption key.

There are a few different ways to encrypt your emails. First of all, the Gmail server is automatically protected by network-level encryption. This layer of encryption protects your emails within Google’s network or while they’re in transit from sender to recipient. However, once your email leaves Google’s network, it is no longer protected. While Gmail Confidential Mode provides some basic access control features, such as disabled forwarding and access revocation, it’s still a limited feature.

Even with Google’s network encryption and Gmail Confidential, your data is still vulnerable unless you adopt a solution that provides client-side encryption. In other words, Gmail’s built-in security does a pretty good job, but the actual content — messages and attachments — of the emails you send aren’t encrypted and are vulnerable to exposure. 

Client-side encryption closes that gap. This data-centric encryption method scrambles the contents of your emails into ciphertext so that they’re unreadable without the right encryption key. That way, even if your email is intercepted while it’s in transit, your information is still protected from unauthorized access.

Unfortunately, most client-side encryption methods, such as PGP and S/MIME, are complicated to set up and impossible to use without first exchanging keys or certificates with your recipient.

Protecting your data in Gmail is a great first step, but you should also be mindful of the data that resides elsewhere in Google Workspace — such as files in Google Drive, Docs, Sheets, and Slides. Encrypting data across the Google ecosystem strengthens your security posture and protects you from vulnerabilities that could lead to a data breach. 

To learn more about applying more comprehensive protection across Gmail, Google Workspace, and beyond, contact Virtru today. 

Discover how seamless it can be to add a layer of data protection across your organization.

Dive Deeper