You worked hard to establish your business. Don’t let security risks impact your success. Take these security measures to help protect your business information.
If you have a very small business (1-20 users) or small business (21-100 users), you probably don’t have a dedicated IT administrator, so we’ll keep the list short!
Protect your accounts
Use unique passwords A good password is the first line of defense to protect user and admin accounts. Unique passwords aren’t easily guessed. For example, think of a long sentence and use the first letter of each word as your password. Also discourage password reuse across different accounts, such as email and online banking. |
|
Require admins and key users to give extra proof of who they are If someone manages to steal your password, 2-step verification (2SV) can prevent them from accessing your account. 2SV requires users to verify their identity through something they know (such as a password) plus something they have (such as a physical key or access code) to gain access. We recommend that everyone in your business use 2SV, but it’s especially important for admins and users who work with sensitive data such as financial records and employee information. You should enforce 2SV for admins and key users. Protect your business with 2-Step Verification | Deploy 2-Step verification |
|
Admins should add recovery information to their account If your admin forgets their password, they can click the Need help? link on the sign-in page and Google will send a new password via phone, text, or email. To do that, Google needs a recovery phone number and email address for the account. |
|
Get backup codes ahead of time If your business enforces 2SV and a user or admin loses access to their 2SV method, they won’t be able to sign in to their account. Examples are a user who receives 2SV verification codes on their phone and loses their phone, or a user who loses their security key. In a case like this, they can use a backup code for 2SV. Admins and users with 2SV turned on should generate and print backup codes and keep them in a secure location. |
|
Create an additional super admin account A business should have more than one super administrator account, each managed by a separate person. If your primary super admin account is lost or compromised, the backup super admin can perform critical tasks while the primary account is recovered. You create another super admin by assigning the super admin role to another user. |
|
Keep information on hand for super admin password reset If a super admin can’t reset their password using email or phone recovery options, and another super admin isn’t available to reset the password, they can contact Google Support. To verify identity, Google asks questions about the organization’s account. The admin also needs to verify DNS ownership of the domain. You should keep account information and DNS credentials in a secure place in case they’re needed. |
|
Super admins shouldn’t remain signed in to their account Super admins can manage every aspect of your company’s account, and can access all business and employee data. Staying signed in to a super admin account when you aren’t performing specific administrative tasks can increase exposure to potential malicious activity. Super admins should sign in as needed to do specific tasks and then sign out. For daily administrative tasks, use an account with limited admin roles. Pre-built administrator roles | Security best practices for administrator accounts |
|
Enable auto update for apps and Internet browsers To get the latest security updates, make sure your users enable auto update for their apps and Internet browsers. If they use Chrome, you can configure auto-update for your entire organization. Auto-update policies (Chrome) |
If you use Gmail, Calendar, Drive, Docs
Turn on enhanced pre-delivery message scanning Phishing is the malicious practice of sending email that attempts to trick users into revealing sensitive information, such as passwords, account numbers, or other personally identifiable information. Google scans incoming messages to help protect against phishing. When Gmail identifies that an email may be a phishing attempt, it might display a warning or move the email to a spam folder. Enhanced pre-delivery message scanning enables Gmail to help catch email that previously might not be identified as phishing. |
|
Turn on additional malicious file and link screening for Gmail Google scans incoming messages to protect against malicious programs, such as computer viruses. Turn on additional safety checks for attachments, links, and external images to help catch email that previously might not be identified as malicious. |
|
Make sure email recipients don’t mark your email as spam Email spam is unsolicited bulk email messages. It’s generally used by unscrupulous advertisers because there are no operating costs beyond that of managing their mailing lists. Sender Policy Framework (SPF) is an email security method to authorize legitimate email sent by users at your company. An SPF record identifies which mail servers are allowed to send email on behalf of your domain. If you don't set up SPF for your domain, some messages could bounce or could be marked as spam. |
|
Restrict calendar sharing with people outside your company User calendars can contain sensitive information. You should limit how your users share their calendars with external users. Restrict external calendar sharing to free/busy information only. |
|
Limit who can see newly created files |
|
Warn users when they share a file with people outside your company If you let users share files with external people, make sure they get a warning when they attempt to do this. The warning prompts them to confirm that they want to share the file with someone outside of your company. |
Does your business have special security requirements?
Your business might have fewer than 10 people but have the information security requirements of a much larger company.
For example, small investment and financial planning businesses, and any business that works with health information might have special regulatory, privacy, and security requirements. These companies might have dedicated IT admins who take care of these extra requirements.
If that sounds like your business, follow the security best practices in the Security checklist for medium and large businesses (100+ users).