The Google Workspace Admin Console is one of the most powerful security tools available to a small business — and one of the most underused. Most organisations go in once to set up email, add a few users, and then never look at it again. The defaults stay. The gaps stay. And the risks stay too.
This isn't a theoretical exercise. Every Workspace I audit has at least four of these eight settings in the wrong state. Most have six or seven. And because nothing visibly breaks when a security setting is misconfigured, there's no obvious signal that anything is wrong.
Here are the eight Admin Console settings I check in every audit, what they do, and what the correct configuration looks like.
Where to find the Admin Console
Go to admin.google.com. You'll need to be logged in as a Super Admin (or an admin with the right privileges). If you're not sure whether you have Super Admin access, look for the full Admin Console — not just the basic My Account view. If you can see sections like Security, Devices, and Reporting in the left-hand navigation, you're in.
1 Two-step verification: not enforced
This is the single most common finding. Most businesses either haven't turned on MFA at all, or they've made it available but not required. "Available but not required" means in practice that nobody uses it. People don't opt into inconvenience voluntarily, and a compromised account from a team member who skipped MFA is just as damaging as if you'd never set it up.
Security → Authentication → 2-step verification. Set enforcement to On. Set the new user enrolment period to 1–3 days. Tick "Allow users to trust the device". Do not set this to "Optional" — that's the same as off.
2 Less secure app access: still on
Older apps and devices sometimes use a login method called "basic authentication" — essentially sending your username and password in plain text without going through Google's modern sign-in system. Google calls these "less secure apps." The setting to allow them is on by default in some configurations and, if left on, lets attackers bypass MFA entirely by using legacy protocols that don't support it.
Security → Less secure apps. Turn access off. If a specific app stops working, that's a signal the app itself needs updating — not a reason to leave the door open. Modern apps all support OAuth, which is the secure alternative.
3 External sharing in Drive: set to anyone with a link
Google Drive's default external sharing setting is generous. In many configurations, users can share files with "anyone who has the link" — meaning a file link accidentally shared in a Slack message or pasted into the wrong email becomes publicly accessible. For businesses handling client data, contracts, or financial records, this is a serious data governance risk.
Apps → Google Workspace → Drive and Docs → Sharing settings. Under "Sharing options", change external sharing to Off or restrict it to specific trusted domains if you regularly collaborate with external partners. Enable the warning message when users share externally.
"A file link accidentally pasted into the wrong channel becomes publicly accessible. That's not an edge case — it's how most data leaks at small businesses actually happen."
4 Password strength policy: not configured
By default, Google Workspace imposes a minimum password length of 8 characters. That's weak by modern standards. Without a stronger policy, users are free to set passwords like "Password1!" and technically comply with the rules. Combined with no MFA, a weak password is the only thing standing between an attacker and full account access.
Security → Password management. Set minimum length to 12 characters. Enable "Enforce strong password". Turn on "Password strength enforcement" and tick "Next sign-in" so it applies to all existing users, not just new ones.
5 Session duration: set to indefinite
By default, Google sessions don't expire. A user who logged in to Gmail three years ago on a device they no longer use may still have an active session. If that device was sold, lost, or compromised, the session is still valid. This matters particularly for high-privilege accounts — admin or finance roles where prolonged unauthorised access could do serious damage.
Security → Google session control. Set Web session duration to 8 or 12 hours for standard users, and to 1–4 hours for admin accounts. Separately, under Account → Admin roles, restrict Super Admin privileges to only the accounts that genuinely need them.
Not sure how your Admin Console stacks up?
GetBulwark runs a free 20-point security audit across every major Admin Console setting. 45 minutes, written report, no obligation.
Book the free audit6 Alert Centre: never checked
Google's Alert Centre sends notifications about suspicious activity — login attempts from unusual locations, potential phishing emails sent from your domain, accounts suspended for suspicious behaviour. Most businesses don't know it exists. The notifications go to the admin email and, if that's an alias or a shared inbox nobody actively monitors, they pile up unread.
Security → Alert Centre. Review all existing alerts — you may find things have already happened that you don't know about. Then go to Reporting → Email notifications and set alert emails to an inbox you actively monitor. Review the Alert Centre at minimum once a month.
7 Third-party app access: unrestricted
Every time one of your team clicks "Sign in with Google" on an external website or app, they're granting that app access to their Google account data. By default, users can do this without any admin approval. Over time, most Workspaces accumulate dozens of third-party apps with varying levels of access — some legitimate, some abandoned, some potentially high-risk.
Security → API controls → Manage third-party app access. Review what's already been granted. Remove anything unrecognised or no longer in use. Under "App access control", set it to "Restricted" so new third-party apps require admin approval before users can grant them access.
8 Mobile device management: not enabled
Most small businesses have team members accessing Gmail, Drive, and Docs from personal phones. By default, there's no management policy applied to those devices — no ability to remotely wipe company data if a phone is lost, no enforcement of screen lock, no visibility into what devices are accessing your Workspace. This is one of the first things I check when auditing a business with remote or hybrid workers.
Devices → Mobile & endpoints → Settings. Enable Basic Mobile Management (free with all Workspace plans). Set the policy to require a screen lock and enable remote wipe. Under Devices, you can see every device that has accessed your Workspace — review and remove anything unrecognised.
The pattern behind the list
None of these settings are obscure. They're all in the main navigation of the Admin Console. The reason most businesses have them wrong isn't technical — it's that nobody has been specifically tasked with checking them. The person who set up the Workspace was focused on getting email working, not on security hardening. And once it works, nobody goes back.
The good news is that these are all fixable in an afternoon, by anyone with Super Admin access and this list in front of them. The eight settings above will take you from a default-configured Workspace to something materially more secure — and they're all free to change.
If you want to go further — or if you'd rather have someone who does this every week run through all 20 checks and give you a written report — that's what the free audit is for.
