Most business owners who run on Google Workspace have a vague sense that they should be checking their security settings, but no clear idea of what to actually look at. This article gives you a concrete starting point — five checks, each taking under two minutes, that together tell you whether your Workspace has the most critical controls in place.
You'll need Super Admin access to do this. If you're not the Super Admin, find out who is and forward this article. If nobody is sure, go to admin.google.com — if you can see the full Admin Console, you're an admin.
Before you start: a note on what this covers
A full Workspace security audit — the kind GetBulwark runs manually — covers 20 checks across four categories. This 10-minute version covers five of the highest-impact ones. If you pass all five, you're materially better positioned than the average small business. If you fail any of them, fix those first before worrying about the other 15.
The 5-check self-audit
1 Is MFA enforced for all users?
Where to check: admin.google.com → Security → Authentication → 2-step verification
What to look for: The enforcement setting should be "On" — not "Off" or "Optional". If it says Optional, MFA exists but is not required, which means in practice most users won't have it.
What a pass looks like: Enforcement is On, with a defined grace period for new users (3–7 days).
Read the full MFA enforcement guide. Fixing this is the highest-priority item in this list — do it before anything else.
2 Do any former employees still have active accounts?
Where to check: admin.google.com → Directory → Users
What to look for: Go through the user list and look for anyone who has left the business. Active accounts are shown in green. A former employee with an active account still has full access to everything they had access to when they left — email, Shared Drives, third-party apps connected to their account.
What a pass looks like: Every active user account belongs to a current employee. No former staff or contractors appear as active.
Suspend any former employee accounts immediately (click their name → More → Suspend). Suspension blocks access without deleting data. You can decide whether to delete the account or transfer ownership of files later.
3 Are your email authentication records correct?
Where to check: MXToolbox — enter your domain and run SPF, DKIM, and DMARC checks
What to look for: All three should be present and configured. DMARC specifically should have a policy of p=quarantine or p=reject. If it shows p=none, the record exists but does nothing to protect you.
What a pass looks like: SPF: valid. DKIM: valid. DMARC: valid with p=quarantine or p=reject.
"A DMARC policy of p=none tells receiving servers to do nothing with emails that fail authentication. It's the equivalent of a "no entry" sign with no lock on the door."
Read the DMARC setup guide. This is one of the two most commonly misconfigured settings in audits.
4 Is external Drive sharing restricted?
Where to check: admin.google.com → Apps → Google Workspace → Drive and Docs → Sharing settings
What to look for: Under "Sharing outside of [your organisation]", check whether users can share files with anyone external. The default setting is permissive. Look for whether "Anyone with the link can access" is enabled at the org level — if it is, any file your team creates can be shared publicly with a single click.
What a pass looks like: External sharing is either off or restricted to approved domains. "Anyone with the link" access is disabled or requires admin approval.
Want the full 20-point version done for you?
GetBulwark runs the full audit manually, checks all 20 controls, and delivers a written PDF report within 48 hours. Free, no obligation.
Book the free audit5 Have you checked the Alert Centre recently?
Where to check: admin.google.com → Security → Alert Centre
What to look for: Any unread or unacknowledged alerts. Look particularly for alerts about suspicious login activity, account compromise, or suspicious email detected. A clean Alert Centre that's never been checked doesn't mean nothing has happened — it means nobody has been looking.
What a pass looks like: Alert Centre has been reviewed within the last 30 days. Any alerts have been investigated and resolved or acknowledged.
What to do with the results
If you passed all five: you're ahead of most small businesses in the UK. The next step is running through the remaining 15 checks — either yourself using the Admin Console settings guide, or by booking the full audit where someone does it with you.
If you failed one or more: start with the highest-risk finding and work through them in order. MFA first, then leaver accounts, then email authentication, then Drive sharing, then Alert Centre. Each fix takes less than an hour. Together they close most of the attack surface that affects small businesses on Google Workspace.
If you don't have Super Admin access and aren't sure who does: that's itself a finding. Find out, document it, and make sure the right person is responsible for running through this checklist at least every quarter.
