Google Apps for Work (now known as G Suite) is incredibly useful for small businesses, enterprises, and everyone in between. It combines email, word processing, spreadsheets, presentation software, cloud storage, and other vital services into one intuitive package. Google Apps security policies look good too — Along with being FISMA-moderate certified, Google guarantees your data will only be stored for as long as you want it to.
None of this, of course, means that your information is invulnerable to attack. Your email and data security are only as good as the safeguards you put in place — even if that data is secured in the cloud. If you want to keep your data secure, make sure you keep these best security practices in mind:
1. Know the Threat
Google Apps security is excellent, however it’s important to understand outside risks that could threaten your security and privacy. Some examples of external threats include hackers guessing or stealing passwords, or Phishers attempting to trick employees into giving away passwords or other valuable information by posing as clients, business partners, government institutions, or even coworkers. Undetected malware could spy on your employees, copying confidential information from an employee’s computer.
Google Apps security also can’t protect you from human error. It can’t stop an employee from accidentally sending confidential information, typing in the wrong email address, or hitting “Reply to all” instead of “Reply,” for example, or from breaking PCI Compliance by sending credit card info over email. It’s important for everyone in your organization to not only know these external threats are out there, but to learn security and privacy best practices and the excellent features Google Apps make available to guard against them.
Get your copy of The Complete Guide to Email Encryption for G Suite Administrators for more practical tips on securing your business in the cloud.
2. Use Multi-Factor Authentication in Google Apps
If a hacker gains access to an employee’s password, multi-factor authentication could mean the difference between a major security breach and a minor irritation. Google’s version of multi-factor identification — 2-Step Verification — requires employees to enter a security code from their cellphone whenever they login from a new browser or a different computer, as well as once every 30 days. That means that even if a hacker steals an employee’s login info, they still won’t be able to access the employee’s account
Google Apps Security lets the administrator require everyone in the domain to use 2-Step Verification. From the Google Admin Console, click Security > Basic settings. Then, select “Allow users to turn on 2-factor authentication” under “2-Step Verification.” Instruct all your users to go to Google’s verification landing page and click “Get Started.” Google will guide them through setup step-by-step, using their cellphones and login credentials.
Google recommends users with smartphones use the Authenticator app to get their security codes, but they can also receive them through SMS or an automated phone call. Each user will have to use their security code on the next login, and will have the option of having the browser remember it, so they don’t need a new code every time they log in on their work computer. Once all users have installed 2-Step Verification, you should make it mandatory. Click “Basic Settings,” then select, “Go to advanced settings to enforce 2-step verification.” You’ll have the option to enforce it immediately, or to set a date for enforcement to start.
3. Prevent Spoofing
Spammers, phishers, or even malicious competitors could spoof your email address, making a message appear to come from your organization. Google Apps security provides several tools to help prevent this. Using DKIM (DomainKeys Identified Mail Standards) lets you create a signed 1024-bit domain key, which allows recipients to verify that a message is from your domain.
From your admin console, click Apps > Google Apps > Gmail > Authenticate email. If you have multiple domains, select which one you want to make a key for, then click “Generate new record.” The domain will automatically be added to the DNS records if you bought your domain from a Google Apps partner. Otherwise, you’ll have to add it manually. Finally, turn it on by going to Apps > Google Apps > Gmail > Authenticate email, and clicking “Start Authentication.”
Configuring SPF Records will also help prevent spoofing. Configure it from your Admin console, and you’ll be able to use one of the most powerful anti-spoofing tools: DMARC. This tool allows you to choose what other participating email servers do with emails spoofing your domain. You’ll be able to have them delete, quarantine, or pass the emails through.
4. Adjust Google Apps Security Settings
If your employees work remotely, requiring users to use SSL is a must (it’s a good idea onsite too!). When your employees sign in to unsecured WiFi, such as at a coffee shop, others can spy on information they send over the Internet. Secure Socket Layers (or SSL) can help protect that data from prying eyes by encrypting it. You can enable SSL from your Admin console by clicking Security > Basic settings > SSL on the dashboard.
You should also monitor the strength of user passwords. Click Security > Password monitoring from the dashboard. If your users are using weak passwords, consider clicking Security > Basic settings, and setting a higher minimum password length.
If another administrator gave you admin privileges, you’ll also need to add recovery options in case your account gets hijacked. From My Account, select “Your personal info.” Click “Email” and add a recovery email. Alternately, click “Phone,” then “Add Recovery Phone,” then input your phone number.
5. Review User Behavior Reports With Google Apps Security
Google Apps security reports allow you to see if your users are disregarding security procedures in ways that can compromise data security. When you click Reports > Security, you’ll see data for the domain, a table that displays data for each individual users, and a filters section, which lets you see which users are being displayed. You’ll be able to see a wide range of info, including which users share files and install external apps, and whether particular users are skipping 2-Step Verification.
It’s a good idea to check security reports regularly, but you should also subscribe to alerts to catch urgent security issues as they happen. Sign up for the suspicious login activity alert under “Reports” by clicking “Manage Alerts” and setting it to “ON.” When a login occurs from a suspicious location, you’ll receive an email alert. Contact the user, and ask if they remember making that login. If you can’t confirm that it was actually them, suspend their account and lock them out of Apps until you’re sure the account hasn’t been compromised.
6. Implement a strong password policy
Making sure your users are choosing and using passwords correctly is the simplest way to stop Google Apps security breaches. Start by teaching users how to make a strong password. The password should be at least 8 characters long, and ideally, 12 or more. It should have both uppercase and lowercase letters, as well as characters and numbers. It should not contain personal info, such as the user’s name or birthday, or any words that could be easily associated with them.
Tell users to never, ever reveal passwords — not over the phone, not in a questionnaire, and not in an email. They should never write passwords down either, or use the “save password” function, and should change their passwords at least once every six months. If a user believes their password might be compromised, they should contact the admin immediately, and change all their passwords — not just the one that they think is at risk.
7. Use client-side email encryption
As mentioned before, Google uses SSL to protect your users’ communications — especially on unsecured Internet connections. Google also encrypts email while it stays within Google servers, which makes messages unreadable by third parties when you send them to other Gmail users. Unfortunately, when you send an email to a user who uses another service, such as Yahoo!, it has to go through servers that aren’t operated by Google. Depending on the way those servers are set up, the email may become unencrypted on the way over, allowing others to potentially read or record it.
Fortunately, Virtru for Google offers client-side encryption, which closes this security vulnerability. When you send a message, an electronic key is sent to Virtru. None of the servers between you and the recipient will have that key, which means none of them will be able to read the message. The only one who can access it is the intended recipient. Once you install Virtru, you’ll be able to encrypt Gmail messages by flipping the Virtru switch at the top of the email window before you send it. When you receive a message encrypted by Virtru, you’ll be able to read it just like any other email, without any extra steps.
8. Build a work culture of security
No matter how good your security measures are, your employees still need to know how to be safe on the Internet. Users should know how to avoid phishing scams by not clicking hyperlinks in emails (especially from unknown users), or typing any sensitive or personal information into pop-up windows.
Make sure they have basic security programs installed and functioning correctly. Any computer used for business purposes should have a firewall, along with antivirus and anti-malware programs, and employees should regularly run checks for malicious programs. Whenever new security patches and updates are released for their operating system or apps, they should be immediately installed.
You should also emphasize the importance of keeping work and personal emails, documents, and accounts separate. Users should avoid saving company documents on personal accounts, or allowing outsiders to have access to anything stored in the company’s filespace. Similarly, they should not store company data on computers, cellphones or other personal electronic devices, unless it’s absolutely necessary (if they’re working in the cloud, it generally won’t be). If they work offsite, encourage users to set up any browsers they use for work to clear all stored data every time they close a window. If it’s practical, you should also tell users to avoid working over unsecured WiFi, such as in coffee shops.
Virtru Email Encryption is the Key to Google Apps Security
If there’s a hole in your company’s security, a determined hacker can find it. By preventing spoofing, creating strong passwords, monitoring users for security issues, and enforcing a workplace security culture, you’ll be able to stop most attacks against Google Apps security.
But unless you protect them from being read in transit, your company’s emails will still be vulnerable every time you you send them to non-Gmail users. Try Virtru today, for effortless client-side encryption, and give your security team one less thing to worry about.