The Google Workspace Security Audit Checklist I Wish Every SMB Had

By Eysh | eyshtech.vip | March 2026

I spent 6 years as a Google Workspace Account Manager at MarketStar. In that time I audited hundreds of SMB environments. The same security gaps showed up in almost every single one.

Not exotic zero-days. Not nation-state hacking. Just basic stuff that nobody thought to check — because nobody told them to. So here it is. The checklist I built after seeing the same mistakes over and over, for years, across companies of every size from 5 people to 500.

Two-Factor Authentication: The One Nobody Enforces

I once found a 50-person company where exactly 3 people had 2FA enabled. The CEO wasn't one of them. The IT director wasn't one of them. The three people who did have it? They'd turned it on themselves because they were paranoid. Good for them.

Here's what most SMBs don't realize: Google Workspace lets you enforce 2FA across the entire org. Not suggest it. Not send a polite reminder. Enforce it — as in, you literally cannot log in without a second factor. It takes about 4 minutes to configure in the Admin console. Most companies I audited had never touched that setting.

If you do one thing after reading this, go turn on 2FA enforcement. Right now. I'll wait.

The Super Admin Problem

Who has super admin access to your Google Workspace? Do you know? Can you name them right now without checking?

In at least a dozen audits, I found super admin accounts belonging to employees who left 6+ months ago. In one case, a former intern still had full super admin — the keys to everything — and nobody noticed for almost a year. They hadn't done anything malicious. But they could have. That's the point.

The rule is simple: minimum two super admins (so you don't get locked out), maximum three (so the blast radius stays small). Everyone else gets the minimum permissions they actually need. Review it quarterly. Put it on your calendar. I mean literally — a recurring calendar event that says "check who has super admin."

Sharing Settings: Your Contracts Are One Click From Public

Google Drive's default sharing settings are generous. Too generous for most businesses. If your org-wide sharing is set to "Anyone with the link" — and I've seen this more times than I can count — then every document, every spreadsheet, every client contract is one accidental share away from being public.

Change the default to "Restricted" or at most "People in your organization." External sharing should require explicit action, not be the default. This is a 2-minute fix in the Admin console under Apps > Google Workspace > Drive and Docs. Two minutes to close one of the biggest data leak vectors in your entire company.

Third-Party App Access: The Shadow IT You Don't Know About

That random Chrome extension your marketing person installed? It might have full read access to every file in their Drive. That "cool productivity tool" someone connected via OAuth? It can read their email.

Go to Admin console > Security > API Controls > Third-party app access. Look at the list. I guarantee you'll find apps you've never heard of with permissions that make your stomach drop. The fix: set third-party app access to "Don't allow users to access any third-party apps" as the default, then whitelist the ones you actually use. Yes, people will complain. They'll get over it.

Password Policies (Or Lack Thereof)

Most SMBs I audited had zero password requirements configured in Workspace. No minimum length. No expiration. No complexity rules. Nothing. People were using passwords like "company123" and nobody was stopping them.

Set a minimum length of 12 characters. Enable password monitoring (Admin console > Security > Password management). Consider requiring password changes every 90 days — I know the security community debates this, but for SMBs where people reuse passwords across personal and work accounts, it matters.

Mobile Device Management: The Lost Phone Scenario

Someone loses their phone at a bar on Friday night. Their company email, Drive, Calendar — all of it is on that phone. Can you remote-wipe it? If you haven't set up basic mobile device management in Workspace, the answer is no. You just sit there hoping whoever found it doesn't scroll through your client list.

At minimum, enable basic device management. It lets you require screen locks, remote-wipe lost devices, and see which devices are accessing your org's data. Advanced management adds app whitelisting and stronger enforcement. Either way, you need something configured before the lost phone happens — not after.

Data Loss Prevention: Usually Completely Empty

Google Workspace has built-in DLP rules that can detect credit card numbers, Social Security numbers, and other sensitive data in emails and Drive files. In probably 90% of the SMBs I audited, zero DLP rules were configured. Not one.

Even basic rules — flag emails containing credit card numbers, warn before sharing files with SSNs externally — catch real problems. I've seen employees accidentally email client bank details to the wrong person. A simple DLP rule would have caught that.

Gmail Forwarding: The Silent Data Leak

Check if anyone in your org has auto-forwarding set up to a personal email address. Seriously, check right now. Admin console > Reporting > Email log search, or just ask your team. You'd be amazed how many people forward their work email to their personal Gmail "for convenience."

Every email that hits their work inbox — client conversations, internal discussions, financial data — is silently copied to an account you don't control. This is one of the easiest data exfiltration vectors that exists, and it's usually not even malicious. People just want to check work email on their personal phone. Disable the ability to set up forwarding to external addresses in the Admin console.

Group Permissions: The Hidden Access Backdoor

Google Groups are powerful. They're also a mess in most orgs. Who's in the "All Company" group? Can external people post to it? Can anyone join without approval? In one audit I found a group called "Leadership" that granted access to a shared Drive with every strategic document the company had — and three people who were no longer with the company were still members.

Audit your groups. Check membership, check who can join, check what resources each group grants access to. It takes an afternoon. It's worth it.

Recovery Settings: The Doomsday Plan

Last one, and it's the one people never think about until it's too late. If your sole super admin gets locked out — loses their phone, forgets their password, leaves the company in a huff — what's the plan? Do you have a recovery email set? A recovery phone? A second super admin account stored securely?

I've talked to business owners who got locked out of their own Google Workspace with no recovery path. Their email, their files, their calendar, their contacts — gone. Google support can help, but it takes days and requires proving domain ownership. Set up recovery options now, while you can still log in.

The Bottom Line

None of this is hard. None of it is expensive. All of it matters. The average SMB data breach costs $4.88 million according to IBM's 2024 report. These are the things that prevent that number from landing on your desk.

I do these audits professionally now. $97 for a 30-minute review — I go through your Admin console, flag everything that needs fixing, and give you a prioritized action plan. Most businesses fix the critical stuff in under an hour.

Book at eyshtech.vip/workspace.