Let’s be honest: if you’re one of the first (or the first) security hires at a small or midsize business, chances are you’re also the unofficial CISO, SOC, IT Help Desk, and whatever additional roles need filling. You’re not running a security department. You are THE security department. You’re getting pinged about RFPs in one area, and reviewing phishing alerts in another, all while sifting through endless FP alerts across the board. The tools meant to help are often creating more work than they solve. Security teams end up choosing between letting things slip or becoming the “Department of No.”
Chances are you inherited your company’s Google Workspace. Thankfully, Google handles the infrastructure, the uptime, and the spam filtering. But while Google takes care of a lot, it doesn’t cover everything, and it can be difficult for security teams to operationalize all of Google’s underlying capabilities without significant engineering work. It’s your job to secure the perimeter, even when the perimeter is practically everywhere.
Even with limited time and personnel, you can leverage Google’s excellent security foundations to get the most out of the tools at your disposal. So where do you start?
Identity is Your First Line of Defense
The concept of a traditional security perimeter has faded in the era of cloud-native work. Firewalls and physical network boundaries no longer define the edges of your environment. We’ve been calling identity the “new” perimeter for over a decade: it determines who has access, from where, and under what circumstances. This makes identity protection the most critical layer in your security strategy. When identity controls are weak or misconfigured, an attacker does not need to break into your systems. They simply log in. Every action beyond that point is implicitly trusted.
What to do:
- Enforce Multi-Factor Authentication (MFA) — MFA is table stakes at this point, but it’s worth reinforcing: a strong authentication strategy begins with requiring multi-factor authentication for all users, without exception. This includes executives, administrators, contractors, and part-time staff. MFA adds an essential layer of security that protects against the most common attack vector: stolen credentials.
Configuration should be enforced through either Google Workspace directly or a third-party identity provider (IdP) that supports conditional access and stronger policy enforcement. Regular reviews of MFA enrollment status across user groups should also be conducted–including GWS Super Admins to ensure they’re not bypassing IdP and MFA.
- Use Context-Aware Access — Google’s context-aware access policies should be implemented to evaluate the trustworthiness of each access request in real-time. These policies allow restrictions based on device type, geographic location, IP address, and user role. For example, access to administrative functions or sensitive documents can be limited to managed devices within trusted regions. Context-aware access enhances the granularity of access control beyond a simple username and password, reducing the risk of unauthorized access from compromised credentials.
- Minimize Admin Access — A robust access control model should follow the principle of least privilege. Administrator privileges should be carefully scoped and assigned only when absolutely necessary. It is important to regularly audit administrative roles and permissions to ensure they align with current responsibilities (there comes a time in every startup’s maturity curve where you have to decide whether the founders still need Super Admin access). Temporary elevation of privileges should be preferred over permanent admin access. Audit logs can provide visibility into how and when administrative roles are used, helping to identify misuse or overprovisioning.
Why it matters:
Most attacks begin with stolen credentials. If identity is weak, everything else falls apart like a Jenga tower. MFA and device-aware access are your way of adding glue between the pieces.
Email Is a Great Asset… and Liability
Email is the nervous system of your organization, but it’s also the front door for attackers. Phishing, social engineering, invoice fraud, and business email compromise remain at the top of threat reports for a reason. It all starts through Gmail.
What to do:
- Enable Enhanced Gmail Protections — Google’s advanced phishing and malware protections should be enabled to reduce exposure to common email-based attacks. These features are located within the Admin console under Gmail > Safety, though they may not be activated by default. Default configurations often require additional review to ensure that all protections are fully utilized. Regular audits of these settings can help confirm that security baselines are consistently applied across the organization.
- Configure SPF, DKIM, and DMARC — The implementation of SPF, DKIM, and DMARC protocols is essential for preventing domain spoofing and impersonation attacks. These technologies act as authentication checkpoints for incoming and outgoing emails, validating that messages are truly coming from legitimate sources. Google Workspace includes built-in tools for configuration, but careful setup and ongoing monitoring are necessary to ensure proper alignment with your domain settings. Periodic testing of these configurations can identify gaps or misalignments that undermine their effectiveness.
- Forwarding Rule Alerting — Forwarding rules within Gmail should be closely monitored, as they are a common mechanism for attackers to exfiltrate sensitive information. A compromised account may be quietly configured to forward emails to an external address, often without user awareness. Google Workspace audit logs can reveal the creation or modification of such rules, and custom alerts can be configured in the Alert Center to notify administrators of suspicious forwarding behavior. Regular reviews of both active and historic forwarding rules should be included as part of your security operations cadence.
Why it matters:
As long as the human factor is involved in some shape or form, phishing will always be a possibility. One click from a distracted employee and you’re dealing with a compromised mailbox. Google catches a lot of junk, but not all of it. And once an attacker is inside, Google’s controls don’t do much to stop the bleeding.
Data Loss is a Slow and Often Silent Threat
In a world where information flows freely across chats, shared drives, and email threads, maintaining control over sensitive data is both crucial and increasingly difficult. Data loss is rarely the result of a single catastrophic event. Instead, it occurs gradually through well-meaning employee mistakes, unchecked sharing permissions, or subtle, malicious actions that evade basic detection. These minor leaks compound over time and can have a devastating cumulative effect on your organization’s security posture and compliance obligations.
What to do:
- Use Labels to Classify and Control Sensitive Data — Labels in Google Workspace act as metadata tags that can be applied to documents, emails, and other assets to indicate their sensitivity or business function (e.g., “Confidential,” “Finance Only,” or “Customer Data”). These labels are not just for organization, they can trigger automated security policies, such as restricting external sharing, disabling downloads, or enforcing encryption. Applying labels consistently allows you to scale DLP efforts without relying solely on manual enforcement. It also helps you identify and prioritize which content requires the most protection, making ongoing data hygiene efforts more focused and effective.
- Restrict External Sharing — Domain-level sharing settings should be carefully configured to prevent files from being shared with ‘Anyone with the link,’ since this often results in unintended public exposure. A whitelist of approved external domains should be established and enforced to define which recipients are authorized for external sharing. Users should be advised to share documents only with individuals who have a specific business need. Google Drive audit logs should be reviewed routinely to detect patterns of excessive or risky sharing behaviors. Labels or sensitivity tags should be applied to documents to clearly indicate the appropriate level of confidentiality.
- Use Default Google DLP Rules — Begin by enabling Data Loss Prevention policies that are pre-configured to detect common sensitive data types such as credit card numbers, Social Security numbers, and other forms of personally identifiable information (PII). While ongoing maintenance of DLP policies is time-consuming and tends to remain on the permanent backburner of to-do lists, you can maximize protection with minimal effort by focusing on your crown jewels–label the confidential and high-value company IP (like source code). Ensure those are protected at a minimum, and expand your policy as time allows to ensure that DLP is actively monitoring data across Gmail, Google Drive, and Google Chat to provide broad coverage against unintentional or malicious data exposure.
Why it matters:
DLP and sharing controls are your seatbelts. You hope you never need them, but when you do, they’d better work. Accidental data leaks are just as damaging as intentional breaches, but with the right controls in place, their risk can be minimized.
Establish Visibility as Broadly as Possible
“You can’t protect what you can’t see” is a well-worn cliche, but that doesn’t make it any less true. You don’t need to implement a full-blown Security Operations Center (SOC) in order to be effective. But maintaining constant visibility across your environment is fundamental.
What to do:
- Use Google’s Alert Center — Although it does not catch every issue, Google’s Alert Center provides visibility into high-risk events such as suspicious logins or malware-infected emails.
- Review Audit Logs Regularly — It is essential to establish a consistent and recurring schedule for reviewing audit logs to ensure timely detection of security anomalies and unauthorized activities across your Google Workspace environment. During these reviews, look for anomalies: file sharing spikes, strange login patterns, or changes in admin roles.
- Integrate with a SIEM if Possible — Even if you are only able to use lightweight tools such as Google’s Chronicle or a basic SIEM instance, centralizing your logs can help you identify patterns over time.
Why it matters:
You don’t have the capacity to investigate every individual alert. However, if you are not monitoring your logs, then no one is. The difficulty for many teams is that with the breadth and volume of jobs to be done by small security teams, making the time to regularly review logs in a timely fashion and keep tabs on all potential alerts is difficult, if not impossible. The key is to automate what you can, and to consistently make time to review the rest.
Where Google Leaves Off and Where Cloud Workspace Security Begins
No collaboration suite was designed to operate in lockdown. Email wasn’t designed to be a zero-trust environment, and Workspace is no different. It’s fantastic at keeping the basic bad guys out but once they’re in, their behavior can be difficult to distinguish from normal use.
Imagine a burglar breaks into your house and not by smashing a window, but by using a key they fished out of your mailbox. Once inside, your defenses assume the person walking around is allowed to be there. The lights are on, the alarm is silent and the burglar has the run of the place.
Cloud workspace security tools like Material Security exist for this exact scenario. It assumes compromise is inevitable and works ahead of time to contain it.
Getting Off on the Right Foot: Clean Up Existing Settings and Permissions
Unless you stood GWS up, you inherited it: the settings, the sharing behavior, and the sensitive data within. As time goes on, these things don’t disappear or resolve themselves: they only get more complicated. Understanding the state of the infrastructure is key to effectively managing it.
Sensitive Data in Email
If an account was compromised, what data would it have access to that would be valuable? Mailboxes contain years of sensitive emails. Each organization has to determine how to manage this according to its risk tolerance: weighing the convenience of keeping emails in inboxes against the security of removing confidential, regulated, and proprietary information.
 |
| With Material, sensitive historical data in email is secured behind an MFA prompt–keeping attackers out without hampering users. |
Sensitive Data in Files
Drive contains sensitive files created by or shared with an account. Again, weighing collaboration against security: restrictive sharing policies will minimize the surface risk but slow your team down–and can open up new vulnerabilities if employees work around overly-restrictive sharing rules.
 |
| Material’s Explorer makes it easy to find sensitive content wherever it lives across your Gmail and Drive footprint. |
Settings
Loopholes in message moderation can poke holes in your defenses–things like default group moderation settings that allow potentially-malicious messages to get to your executives and VIPs. It’s also important to look for gaps in your MFA program (IMAP/POP access, application-specific passwords, and more).
 |
| Detect and remediate a broad range of misconfigurations, risky behaviors, and other vulnerabilities. |
Shadow IT
Employees using unsanctioned apps and services is a persistent problem, as teams try out new unapproved tools. Self-serve password resets, one-time passwords, and other account verifications circumvent intended identity protection protocols. Getting a handle on what’s in use within your environment and by whom is critical to understanding your risk.
Staying on the Right Path: Preventing Configuration Drift
Maintain Visibility and Control Through Automated Continuous Monitoring
Your Google Workspace environment is constantly evolving alongside its threats. Material provides continuous configuration monitoring that doesn’t just scan your settings once and call it a day. Instead, it keeps a persistent watch on your configuration posture, alerting you immediately when something drifts from baseline or veers into risky territory. It’s like having a vigilant co-pilot who never gets tired, constantly ensuring your environment is in line with security best practices. Whether it’s a new app being granted broad scopes or a permissions setting quietly altered, Material keeps you informed and in control. This significantly reduces the time teams spend on tedious manual reviews and frees them up to focus on higher-order security concerns while ensuring missteps don’t go unnoticed or unaddressed.
 |
| Monitor all risks and threats across all of Google Workspace in a single dashboard |
Strike the Right Balance Between Productivity and Security
Small security teams don’t have to be the department of “no,” but they need to know what’s happening in their environment. Google Drive facilitates rapid, effective collaboration, but over time, the sprawl of sensitive content shared outside the organization or even publicly becomes unmanageable no matter how big the team is. Material manages sharing behavior at scale, notifying files owners of risky sharing behavior and allowing windows to self-heal or justify the sharing, and allowing security teams to set auto-remediation timeframes to fit their organization’s risk tolerance.
 |
| Alert users of improper sharing behavior and automatically remediate with granular settings tailored to your risk tolerance. |
Automate what should be automated, simplify what can’t
Too many detection and response tools on the market are all too light on the “response.” Material has a broad range of “close to the source” actions that can be set up to run automatically: rewriting links in detected phishing emails, applying labels to files that are detected with sensitive information, revoking user sessions when suspicious activity is detected, and more. But not every problem can be solved without human expertise; for those complex issues that require a human decision or nuanced fix, Material provides a range of one-click remediations as well as links to the Workspace settings page to remediate the issue.
Fix Misconfigurations Automatically
Misconfigurations are the silent killers of cloud workspace security. They often stem from well-meaning admin actions or overlooked toggles in a complex UI. With automated fix implementation for a wide range of common security missteps, Material removes the need for endless back-and-forth between alerts and actions. By resolving issues before they can be exploited, Material helps teams close security gaps early, leading to a leaner, more resilient posture with fewer vulnerabilities introduced through human error.
Securing Google Workspace Is Just the Start
As a one-person security team, you don’t need perfection but you do need leverage. Google gives you a strong baseline, but it was built for scalability, not scrutiny. You need tools that fill the gaps, centralize all your cloud workspace detection and response, and work to keep employees productivity AND secure.
Material Security gives you that second layer of defense. In a world where threats and attacks are becoming increasingly sophisticated and difficult to detect, having something that helps you operate like a fully staffed security team can make a world of difference.
So yes, turn on the Gmail filters. Lock down file sharing. Check your audit logs. But don’t stop there. Assume breach. Plan for it. And partner with a platform that helps you respond when it happens.
Curious how this could work in your org?
Check out Material Security to see how a purpose-built cloud workspace security solution can simplify and strengthen your security practice.
https://thehackernews.com/2025/05/perfection-is-myth-leverage-isnt-how.html
