May 19, 2026 · 9 min read · Google WorkspaceSecurity AuditGWS

Google Workspace Security Audit: 8 Misconfigurations to Fix in 2026

Google Workspace's default settings optimise for ease of collaboration — which means they often leave security gaps wide open. These eight checks take under an hour and cover the misconfigurations most commonly exploited in Google Workspace breaches.

Google Workspace is used by millions of small businesses, and the Google Admin console has powerful security controls — most of which are either off by default or buried three levels deep in settings. The result is that most tenants are running with significant gaps they don't know about.

This checklist is based on the controls we scan automatically for every Google Workspace tenant enrolled in Workspace Posture Pro. Each item includes exactly where to find the setting and what to change.

The 8-Point Google Workspace Security Checklist

2-Step Verification enforced for all users Critical

Go to Admin console → Security → Authentication → 2-step verification. Set "Allow users to turn on 2-step verification" to Enforcement on, not just "Allow". This forces all users to enrol in 2SV — a setting that's available by default but almost never turned on in small business tenants. Pay special attention to admin accounts: these should also be enrolled in hardware security keys, not just TOTP apps.

Third-party app access to Google account data Critical

Navigate to Admin console → Security → Access and data control → API controls → Manage third-party app access. Review every connected app. Any app with access to Gmail, Drive, Calendar, or Contacts data that you don't actively use should be revoked. OAuth phishing campaigns specifically trick users into granting these permissions — the attacker then has persistent access even after a password change.

External Drive sharing settings High

Check Admin console → Apps → Google Workspace → Drive and Docs → Sharing settings. The "Sharing outside of [domain]" option should be set to "Allowed with warning" at most — ideally "Only people in [domain] can access". The most dangerous setting is "Anyone with the link can view/edit" applied as the default sharing behaviour. Also check whether users can share items with people outside the organisation without approval.

Email forwarding to external addresses High

In the Admin console → Apps → Google Workspace → Gmail → End User Access, check whether "Allow per-user outbound gateways" is enabled (it usually shouldn't be). Also audit individual accounts: in the Admin console → Users → [user] → Email → Gmail settings, check for forwarding addresses that send to external domains. Unexpected external forwarding is a primary indicator of account compromise.

Stale super admin accounts High

Go to Admin console → Account → Admin roles → Super Admin → Admins. Any account with Super Admin that hasn't been active in 30+ days — especially from former employees or contractors — should have admin rights revoked immediately. Super Admin gives full tenant control including the ability to reset other passwords, access all data, and modify all security settings. Former employees with super admin access is one of the most common and most serious findings in Workspace tenants.

Less secure app access blocked High

In Admin console → Security → Less secure apps, ensure "Disable access to less secure apps for all users" is selected. Less secure apps use basic auth (username + password only) to access Gmail and Google Calendar — this bypasses 2SV entirely. Google has been phasing this out since 2021, but many tenants still have it enabled for legacy applications. Audit which apps depend on it before enforcing.

Alert centre monitoring active Medium

Check Admin console → Security → Alert centre. Google's built-in alert centre notifies you of suspicious activity — account hijacking attempts, malware in Drive, government-backed attacks, and data exfiltration warnings. Ensure critical alerts are configured to send email notifications to admin accounts. Many Google Workspace tenants have never opened the alert centre.

In Admin console → Reporting → Audit and investigation → Login audit, verify that login events are being recorded. Also check Account → Account settings → Legal and compliance → Data export — this controls whether you can export data in case of incident response or legal requirements. Audit log retention depends on your Google Workspace edition (Business Starter: 180 days, Business Standard/Plus: 6 months, Enterprise: up to 10 years).

Google-specific risks to know about

Unlike M365, Google Workspace has a few security quirks that catch admins off guard:

Drive link sharing defaults to "Anyone with the link" when users create new files. Unless you've changed the organisational default, every file created could be publicly accessible.
OAuth app consent doesn't require admin approval by default in Business Starter. Any user can grant any third-party app access to their Google account data, including Gmail and Drive, without IT knowing.
Google Groups can be public. Check that internal mailing lists and groups aren't configured as "Public on the internet" — anyone in the world can post to or read public groups.
Service account keys expire silently. If you use Google Cloud or Apps Script with service accounts, audit for expired or unused keys that could be rotated or revoked.

💡 Quick win: Google's Security Health page (Admin console → Security → Security health) gives you an instant overview of the most critical settings and flags anything that's at risk. Check it first — it takes 30 seconds.

How often should you audit?

Configuration drift is the enemy. A setting that was correct last quarter can change when:

A new admin unfamiliar with your security baseline makes a change
A user grants OAuth access to a new app
An employee leaves but their admin role isn't revoked
A migration project temporarily loosens sharing settings and they're never tightened back

Running this checklist monthly is better than quarterly. Automating it is better than monthly. The value isn't in the initial audit — it's in catching the change that happened two Tuesdays ago before it becomes a breach.

📬

Get the EdgeIQ weekly security digest

Practical tips, new threat intel, and product updates. No spam — unsubscribe anytime.

Run this audit automatically every month

Workspace Posture Pro connects read-only to your Google Workspace tenant and runs all 8 checks monthly. You get a plain-English digest with your posture score, what changed since last month, and prioritised remediation steps. Setup takes 2 minutes — no IT ticket needed.

Start Workspace Posture Pro — $19/mo →