Virtru Security Insights

Join 10,000+ Security Professionals Who Receive Our Content Every Month

Google Apps Security for the Mobile Workforce

August 18, 2016

Mobile devices are at risk of theft, hacking, snooping and insider cyber security threats. All it takes is one worker misplacing an unsecured phone or clicking on the wrong link to give hackers the power to leak or sabotage your data, send out fraudulent messages to partners and clients or even hold mission-critical information hostage.

Google Apps (currently known as G Suite) security has tools and settings to mitigate these threats, but many workplaces never get around to putting the necessary controls in place. If this all seems overwhelming, don’t worry — it’s easier than you think. But first you have to understand what you’re up against.

The Mobile Workforce Threat Landscape

The mobile workforce is growing at an incredible pace. Currently, 20-25% of workers regularly telecommute, and telework among workers who aren’t self-employed has more than doubled since 2005. Mobile device adoption is happening even faster; there are now over 7.2 billion mobile devices — more than there are people in the world — and the number is growing at 5 times the rate of world population. Bring Your Own Device (BYOD) is common across industries, with workers relying on mobile for email, sales, analytics and more.

Unfortunately, cyber criminals have adapted to the changing technology quickly. Malware is so in-demand that vendors can charge up to $15,000 in underground markets for sophisticated software to compromise mobile security. They can gain control of phones, steal anything from bank account numbers to medical records and even send and receive fraudulent messages from company accounts.

But some of the less sensational mobile workforce security risks do more damage. According to Gartner researcher Dionisio Zumerle, “There are still two main causes of data loss on mobile devices: physical device loss and misuse of apps.” Zumerle points out that apps are inherently invasive, spying on contact lists, location data and other sensitive data.

At the same time, workers may be storing company data without sufficiently strong encrypted file sharing, potentially allowing hackers access. Between the risks of losing a phone and giving away confidential data through apps that are invasive and not adequately secure, there’s a lot that can go wrong. Mitigating these risks requires careful configuration of Google Apps security settings to constrain user behavior and control data and account access.

How Google Apps Security is Combating the Problem

As BetterCloud Monitor points out, Google itself is very secure. Its data centers are independently audited and certified by third parties, and Google employs some of the world’s top security experts. Google also evaluates releases thoroughly, patches security flaws as quickly as possible, and makes a variety of admin security tools available to business.

Ensuring that you are using these tools — along with good technology policies and training — can prevent security breaches.

Get your copy of The Complete Guide to Email Encryption for G Suite Administrators for more practical tips on securing your business in the cloud.

Google Apps Security Settings for the Mobile Workforce

Configure basic Google Apps security and authentication controls. We all want to thwart hackers with our high-tech know-how, but many of the biggest threats on mobile are the same careless things users do on other devices: setting weak passwords and clicking suspicious links. Check out 8 Best Practices for Google Apps Security and Privacy to see how to setup multi-factor authentication, require strong passwords and prevent email spoofing claiming to be from your domain.

After you activate account authentication controls, make sure Google Apps security is set to the Scheduled Release track. This delays new features by one week, allowing you to prepare for them. More importantly, it decreases the risk of an early bug affecting your Google Drive security or stability.

From the Google Admin console, click Company profile > Profile. Locate the New User Features section, click “Scheduled release” and save the setting.

Use Android for Work to promote BYOD Google Apps security. Most workers use a single device for both work and personal business. Android for Work sets up separate business and personal profiles, allowing organizations to secure internal data without interfering with personal applications.

To start off, install the Google Apps Device Policy in Google Play on each phone, and have workers sign into their Google Apps for Work accounts. Next, go to the Admin Console and click Device Management > App Management > Manage Applications for Android Devices. This will open a Whitelist Android App dialog. Enter the Google Play for Work URL for any device you wish to whitelist. Your users will only be able to use those apps in their work profile, giving your IT team the ability to restrict your workers to safe Apps. You can also control iOS Apps by clicking “Manage Applications for iOS Devices.”

Require strong passwords to secure mobile devices against theft. While a lost or stolen mobile device can compromise enterprise data security, a password is often enough to keep unauthorized parties out. From your Google Admin console, click Device Management > Password settings. Select “Require users to set a password,” then select “strong” under “Password strength.” This will require users to use both numbers and letters in their passwords.

Next, use the “Minimum number of characters” setting to require users to create long passwords (at least 16 characters is recommended). Then, set “Number of days before password expires” to require users to change passwords regularly. Requiring new passwords every thirty days is good policy, but you’ll have to balance Google apps security concerns against the risks of users forgetting new passwords, and choose a number that works for your organization.

Finally, use the “Automatically lock the device after” setting to automatically lock the device after a set number of minutes. CJIS compliance, HIPAA compliance and other regimes require users to be locked out after a set time. Although 30 minutes is permissible under CJIS, a 10 or 15 minute time limit is much safer.

Require encryption in Google Apps Security. Android Encryption gives device passwords teeth by scrambling data on the device’s hard drive. Without the password, it’s difficult or impossible for hackers to retrieve readable information from a mobile device. In newer devices, iPhone encryption is enabled by default, but Android encryption needs to be manually activated.

Click Device Management > Advanced settings > Security and check “Require device encryption.” While you’re at it, click “Block compromised devices,” which will block devices that show signs of being hacked.

Wipe Account removes sensitive data if a phone is lost or stolen. Google Apps security has two functions to delete data remotely: Remote Wipe (which normally performs a factory reset) and Wipe Account (which only deletes Google Apps data). However, if your user has a work profile, either tool should only wipe that account.

If a phone is stolen or compromised, or a worker quits, Click Device management > Mobile devices and hover the mouse over the correct user. Click “Wipe Account,” and confirm in the dialog box that pops up.

Taking Control of Google Apps Security

 

Your Approach to Google Apps Security Should Grow with Your Organization

G Suite offers a vast partner ecosystem and an ever-expanding suite of native cloud security apps. Use these resources to learn how to keep your organization safe in the cloud.

Blogs and Guides

BEFORE YOU LEAVE

Stay Up to Date With the Latest in Digital Privacy

Subscribed! 

BEFORE YOU LEAVE

Stay Up to Date With the Latest in Digital Privacy

Subscribed! 

You're one step away from a personalized walkthrough.

Thank You for Your Interest

Which product are you interested in?

REQUEST A DEMO

REQUEST A DEMO

We'll reach out to schedule a time.