G Suite Security: An Admin Security Checklist
As your company's G Suite security administrator, it is your job to make sure that your accounts are safe and protected. It is easy to become complacent when it comes to security, especially if nothing has ever happened in the past.
And that is exactly what hackers want ... complacency.
Today, we are going to discuss several ways that you can ensure that your G Suite accounts are secured. In this article we'll offer four concrete steps you can take to improve G Suite Security at your business, and remember that if you need assistance or would like our team to take a closer look at your G Suite settings to ensure you're following best practices, reach out to us at any time.
Data security is something that MUST be implemented and maintained at any organization; it is your job to make sure it is done right.
Use Strong Passwords
The most basic form of security is a strong password. Unfortunately, most users do not create strong passwords ... preferring to use something that they can remember easily. In fact, the most common passwords for 2019 included:
If you recognize your password in the list above ... stop reading and go change it immediately.
Hopefully none of your G Suite users have a password like this, but our guess is that some of them probably do. These passwords are both short and weak, plus they can be found on almost every brute-force password list on the internet. If you do not believe us, then check out the password list at Kaggle.com that has over 14 million passwords (these are all on that list; is yours?).
Since you are the G Suite security administrator at your organization, it is your job to help each person create a unique and strong password that is hard to penetrate. You can, and should, set a minimum and maximum password strength requirement. Then, you need to help each of your users understand what makes a good, strong password.
Here are some tips to create a strong password:
- It should be a minimum of 12 characters.
- It should have both uppercase and lowercase characters in it.
- It should have at least one number in it.
- It should have at least one special character in it.
- It should not have a name or identifier in it.
- Common words should be spelled differently (i.e. Help > H3!p)
- It should not be the same as a password used on a different website.
Of course, you can make it even more complicated, but following these basic guidelines offers a very good start.
Using the password strength meter from My1Login, a password of $AMZ-th3p!ACE2b! would take 8 million years to crack where a password of "Password" would only take 0.01 seconds to crack and My1Password would only take less than a second. Just changing a few characters to My1Pa$$W*rd! takes it from 0.02 seconds to 12 years.
Teach your users to trust and use strong passwords for each website and never to use the same password in more than one place.
Use Two-Factor Authentication
Next, you should enable two-factor authentication. Yes, your users might complain about the extra step, but their accounts will be more secure and so will your company's data.
Two-factor authentication (2FA) requires two verification steps before a user is allowed to log in. For instance, when a user tries to log into their account, an alert will be sent to their phone asking if they are trying to login. If they are, they would simply select yes. If they are not, then they would select no and the unauthorized user would be blocked from gaining access.
Several larger corporations are already using 2FA to limit unauthorized access. It is one of the most trusted and secure ways to keep someone out of your account, even if they have your password.
If you decide to use two-factor authentication at your company (and you should), then you need to make sure that all of your users are using it or they will be blocked from logging in (more headaches for you). You have the ability to set an "enforcement from date" in your G Suite Admin settings. Use this feature to give yourself a little bit of time to get everybody converted over.
While you may get a little kickback from some people not willing to make the change, 2FA is one of the best ways to deal with leaked and/or weak passwords, and it's a G Suite Security best practice.
Block Mobile Device Access
As it stands right now, almost everyone has a smartphone. Unfortunately, you cannot control what type of security measures your users have taken or will take on their personal phone. As such, there is a good chance that they could become an unwitting leak or point of entry if they are attached to your company.
As a security administrator, you need to make sure to limit and/or block mobile device access. Yes, this will make it more difficult for some of your users, but the level of security for your company will be greatly increased by choosing who has access to your G Suite files and data from their mobile devices.
If your users balk at this idea, let them know that you can install certain security programs and then you'll feel comfortable providing mobile device access (put this in some type of signed agreement).
Limit Third-Party Access
Another sore spot in any security implementation is when people allow other apps to access their accounts.
There are so many helpful third-party apps that make our work easier these days, that granting access to these apps is almost second-nature. But the reality is that third-party apps can absolutely wreak havoc on your security.
Fortunately, G Suite has several features that allow you to block these "less secure" apps from accessing your company's G Suite user accounts (even if they choose to allow access). To do this, all you have to do is go to your security tab in the admin panel, click on basic settings, then click on the less secure apps setting. From there, you will simply click on "Disable access to less secure apps for all users." Done!
After you implement this G Suite security setting, any user that allows access to a third party app will receive an email letting them know that someone tried to access their account using an app that was not approved. As the security administrator, you would be able to see if someone has actually allowed a less secure app on their account through a "Less Secure Apps Filter/Report."
Google identifies apps as "less secure" and/or "threats" when they do not follow OAuth 2.0 security standards. As such, they are considered a weak spot in a place where you could tighten up your security. Giving these apps access could potentially put your users and their data at risk. Fortunately, G Suite makes limiting access easy for you.
G Suite Security Admin Controls
As you can see, there are plenty of things that you can do as your company's G Suite security admin to prevent data loss and eliminate major security risks at your business.
These are four of the most important areas that you should address immediately. Of course, you can also do a few other things such as managing your OAuth-based access, enabling phishing detection, turning on the unintended external reply warnings, and even limiting calendar sharing.
The more you can do now, the better off you and your users will be later on. And if you're interested, Suitebriar's team of Google Cloud Premier Partners is offering a G Suite Security Audit, which you can request by clicking the button below.