The Most Common Google Workspace Security Failures

1. 2-Step Verification is optional, not enforced

Google makes 2-Step Verification (2SV) easy to enable and easy to skip. In many Workspace tenants, 2SV is enabled at the admin level but set to optional for users — meaning each employee decides whether to complete setup. We routinely find 20–40% of users in newly onboarded tenants who have never activated it.

Fix: In the Google Admin Console, navigate to Security → 2-Step Verification and set enforcement to "On" for all users. Set a grace period for new users (7–14 days) but make completion mandatory. For admin accounts, require hardware security keys.

2. Phishing-resistant 2SV methods aren't enforced

Not all 2SV methods are equal. SMS codes and authentication app TOTP codes can be intercepted or bypassed through real-time phishing attacks (adversary-in-the-middle attacks that capture the code as the user enters it). Phishing-resistant methods — Google Passkeys and FIDO2 hardware security keys — cannot be intercepted this way.

For accounts with access to sensitive data or administrative authority, phishing-resistant 2SV should be required. Standard TOTP is substantially better than nothing, but it's not the ceiling.

3. Google Drive sharing is set to 'Anyone with the link'

Google Drive's default sharing model is permissive. Files and folders shared with 'Anyone with the link' are accessible by anyone who obtains that link — through email forwarding, phishing, accidental sharing in a public channel, or a browser history compromise.

Phoenix businesses routinely share client deliverables, financial documents, and internal strategy files with 'Anyone with the link' because it's the path of least resistance. The result is a sprawling collection of sensitive files with effectively no access control.

Fix: In Admin Console → Drive and Docs → Sharing Settings, restrict default sharing to 'People in [your organization]' or 'People in [your organization] and trusted domains.' Require link expiration for external shares. Audit existing shared links quarterly.

4. Less secure app access is enabled

Legacy applications that can't support modern OAuth authentication connect to Google using 'less secure app' access — basic username and password authentication that bypasses 2SV entirely. This is the Google equivalent of legacy authentication in Microsoft 365: a backdoor around your security controls.

Fix: Disable less secure app access in Admin Console → Security → Less Secure Apps. Identify any applications requiring it and update or replace them. Modern applications should use OAuth 2.0.

5. Admin accounts use personal Gmail addresses

Google Workspace allows administrators to add recovery email addresses and phone numbers to admin accounts — typically personal Gmail addresses. If that personal Gmail account is compromised, an attacker may be able to initiate account recovery on the Workspace admin account.

Additionally, many small business Workspace deployments have the owner's personal Google account as the only Super Admin. This creates a single point of failure and mixes personal Google activity with corporate administrative access.

Fix: Create dedicated Super Admin accounts used only for administration, not daily email. Add a secondary Super Admin for redundancy. Remove personal Gmail recovery options from admin accounts.

6. Google Vault isn't configured for retention

Google Vault is the eDiscovery and retention tool included in Workspace Business Plus and above. It allows you to set retention rules for email and Drive content, place legal holds, and export data for legal or compliance purposes. Most Phoenix Workspace customers have never configured it.

For businesses in regulated industries or those with document retention obligations, unconfigured Vault means no retention policy, no audit trail, and no way to produce email records for a legal hold.

Fix: Configure default retention rules for Gmail and Drive appropriate to your industry. Test Vault export capability before you need it.

The Google Workspace Security Tiers

Google Workspace Business Plus is the Google equivalent of Microsoft 365 Business Premium — the tier where the security tooling becomes meaningfully useful for an SMB. The jump from Standard to Plus adds Vault, enhanced audit, and advanced endpoint management that most Phoenix businesses with any compliance requirement actually need.

What a Properly Secured Google Workspace Tenant Looks Like

•       2-Step Verification enforced for all users, phishing-resistant methods required for admin accounts.

•       Less secure app access disabled; all applications use OAuth 2.0.

•       Drive sharing restricted to authenticated users; 'Anyone with link' disabled or limited to specific use cases with expiration.

•       External sharing domains allowlisted — only approved partner domains can receive shared content.

•       Admin accounts are dedicated, not used for daily work; Super Admin credentials secured with hardware keys.

•       Google Vault configured with retention rules appropriate to your industry.

•       Alert center configured for: new admin account created, suspicious login, large file download, user suspended.

•       Endpoint management (MDM) active for all devices accessing Workspace; screen lock and encryption enforced.

•       Context-Aware Access configured for sensitive apps (Business Plus+): only compliant devices can access.

•       Audit logs reviewed monthly; Security Health page in Admin Console reviewed quarterly.

AEGITz performs Google Workspace security assessments and hardening for Phoenix businesses. Download our free Google Workspace Security Checklist to audit your tenant. aegitz.com