Home / Risk Estimator
See your likely exposure before something forces you to.
Four questions about your Google Workspace setup. Then a clear picture of where you are exposed and the single most important thing to fix first.
This is not a comprehensive audit. It covers the four controls that account for the majority of incidents in small business Google Workspace environments.
Four questions. One clear first step.
Select the answer that reflects your current setup — not what you plan to have in place.
How many people use your Google Workspace?
User count affects your attack surface and the impact of a single compromised account.
Is MFA enforced for all users?
Not just available — actually required. No user can log in without a second factor.
Is there a backup of your Workspace data?
A real backup — not Google's recycle bin or version history.
Is there a formal process for removing leavers?
A consistent, documented process — not "we usually sort it out."
These are the controls that decide whether an incident happens.
MFA
The single biggest reduction in account takeover risk. Without it, one phished password gives an attacker everything. Enforcing it takes under an hour.
Backup
Google's recycle bin and version history are not a backup. A ransomware hit or deliberate deletion needs a real recovery path — or recovery becomes expensive, slow, or impossible.
Leaver process
Accounts from former staff stay active longer than anyone realises. Each one is a valid login that bypasses every other control you have in place.
User count
More users means more entry points, more accounts to manage on the way out, and a bigger blast radius if one account is compromised. Scale doesn't change what controls are needed — it changes the cost of getting them wrong.
This tool covers the four controls that appear most often in post-incident reviews. A full audit maps everything below this level — DMARC, sharing settings, admin roles, device management, and OAuth grants.
Book a free audit