The challenge with Google Workspace security is that the gaps are invisible until they aren't. Your Workspace looks the same whether MFA is properly enforced or not. Email arrives normally whether your DMARC policy is set to reject or set to nothing. Nobody sends you a notification when a former employee's account is still active.
You don't know there's a problem until something goes wrong. Which is exactly why a proactive review matters — and why the five signs below should prompt one sooner rather than later.
1 Your Workspace was set up more than 12 months ago and nobody has reviewed it since
This is the most common situation. A Workspace gets set up — usually by whoever was available to do it, with the goal of getting email working — and then the configuration stays exactly as it was. Admin Console settings that were defaults in 2022 are still defaults today. Sharing permissions that were set for convenience haven't been reviewed. Former employees' accounts haven't been audited.
Google Workspace is not a set-and-forget platform from a security perspective. Every new app connected, every new user added, every configuration change made — all of these affect your security posture. A Workspace that was set up properly two years ago is not necessarily still properly configured today.
Go to admin.google.com → Security → Authentication → 2-step verification. Is enforcement set to "On"? If it says "Off" or "Optional", your Workspace has never been properly hardened. This one check tells you most of what you need to know.
2 Someone has left the company in the last 12 months without a formal offboarding process
If someone left and you changed their password and hoped for the best — or just suspended the account without checking whether there were email forwarding rules, third-party app connections, or Shared Drive permissions that needed to be revoked — the offboarding was incomplete. Incomplete offboarding means data exposure risk that persists indefinitely.
This is particularly acute for businesses where the departure wasn't on the best of terms. An active account belonging to someone who left unhappy is a liability that most business owners don't think about until it becomes a problem.
3 You've received a phishing email that appeared to come from a legitimate business
If you've received an email impersonating a supplier, a known contact, or another business — and it looked convincing — it means that business doesn't have their email authentication properly configured. The same can be true of your domain. Right now, anyone can attempt to send emails that appear to come from your address. Whether they succeed depends on whether you have SPF, DKIM, and DMARC correctly configured.
Receiving a convincing impersonation email is a useful reminder that the same attack can be run against your domain. Check MXToolbox for your domain. If DMARC is missing or set to p=none, your domain is unprotected.
How does your Workspace actually score?
The free 20-point audit gives you a scored report on every control. 45 minutes, written PDF, no obligation. The report is yours to keep.
Book the free audit4 You can't answer basic questions about your own Workspace
Try answering these without checking:
- How many Super Admins does your Workspace have?
- What's your DMARC policy — quarantine, reject, or none?
- Are there any external users with access to your Shared Drives?
- What third-party apps have access to your user accounts via OAuth?
- When was the last time you looked at the Alert Centre?
If the answer to most of these is "I don't know" — that's not a failure, it's just an accurate description of where most businesses are. But not knowing the answers means you don't know your security posture, and not knowing your security posture is a security risk in itself.
5 Your team uses personal devices to access company data with no management policy
Gmail on a personal phone, Google Drive on a personal laptop, Calendar synced to a personal device — all common, all unproblematic if the device is well-maintained, and all potentially significant if the device is lost, stolen, or compromised. Without Basic Mobile Management enabled in the Admin Console, you have no ability to remotely remove company data from a device, enforce a screen lock, or even know which devices have access to your Workspace.
This one is particularly relevant for remote-first businesses where every team member is working from their own equipment. The question is not whether devices should have access — they should, that's the point of Workspace. The question is whether there's any oversight of what those devices are and what happens to company data when one of them is lost.
If any of the five signs above apply to your business, a security review isn't a nice-to-have — it's overdue. The good news is that the free audit takes 45 minutes, covers all 20 controls, and leaves you with a clear picture of exactly what needs fixing. The report is yours regardless of what you decide to do next.
