top of page

5 Steps You Should Take to Make Your Google Workspace Domain Secure

Cybersecurity is becoming a bigger issue within education. According to CheckPoint Research, there has been a 93% increase in cyberattacks targeting the UK education sector in 2021 compared to 2020. Cyber threats come with significant disruption to teaching and learning, and a huge financial cost with regards to increases in insurance policies, ransomware payouts, and recovery costs.

Boy on a laptop

In this guide, I will take you through five steps that will help to secure your Google Workspace Domain. All the main features are available in all versions of Google Workspace for Education.

1. Two-step verification

One of the most impactful changes you could make is turning on 2-step verification for your Google Workspace Domain. This gives an extra layer of protection in case a password is compromised or guessed.

There are a number of options for two-step verification within Google Workspace for Education, and you will need to consider what is the best option for your institution. You could use a Google prompt, which sends a sign-in prompt to a mobile device linked to the user's account. Another option could be to use verification code generators, for example, Google Authenticator app, which allows users to enter a time-based code to sign into their account. Or perhaps you could use security keys that can be hardware-based or a mobile device built-in security key (available on phones running Android 7+ or iOS 10+). However, if you have users that don’t have mobiles or can’t take their phones into the classroom, you can allow them to generate backup verification codes and print them to use when needed.

Laptop & phone

When implementing 2-step verification for

your institution, consider the communication to staff and perhaps arrange some training to support users to set up their own 2-step verification process.

If you have Google Workspace for Education Standard or Education Plus, then there are some additional features that can help secure your domain. For example, Context-Aware Access can be customised to limit using Google products to a particular country or IP address.

2. Check admin roles

Admin roles within your Google Workspace domain have a lot of power and change a number of settings that might make your domain more or less secure. It is important to audit the user accounts that have admin permissions. Sometimes you might have a member of staff leave, but their admin account is still active. This can happen if your users are managed by a third-party tool. You may also have a member of staff change roles within your school and no longer need an admin role within your Google Workspace Domain.

To audit your admins, go to your Admin Console and click on "Account". Select "admin roles" from the drop-down list. All your admin roles are listed on the page, and you can select "view admins" to see all users attached to a particular role. You can also review the permissions assigned to each admin role. Ensure that you remove any accounts that no longer need admin permissions.

Screenshot - admin console

You could also consider splitting a user’s account and create an admin account that is only used for accessing the admin console and an account for general day-to-day working. Plus check the admin audit logs to see if there are any suspicious activities carried out by an admin account.

If you have Google Workspace for Education Standard or Education Plus, you can set up alerts and email notifications through "Rules" for any suspicious activity.

3. Third-party app access

Third-party apps can add functionality to Google Workspace for Education, however, they can also have the power to delete everything in your Google Drive or Gmail, so it is important to audit which third-party apps have access to your domain and the APIs within it.

In the admin console, go to 'Security', then 'Access and data controls', followed by 'API controls', and select 'Manage third-party app access'. You will be able to see all the apps that have some form of access to your Google Domain, as well as what Google services the app uses. You have the option to change any access for an app from this screen, but you might want to check with teaching staff before making too many changes.

Screenshot - admin console

You should also check which Google Workspace Marketplace settings you have turned on. It is recommended that you manage the Marketplace add-ons that users can install on their accounts, and have a process to review any requests for apps and add-ons across your domain.

4. Sharing options

Within education, there is a need to share files internally and sometimes externally. There are a number of options to manage how a user shares within your Google Workspace Domain. Depending on your edition of Google Workspace for Education, sharing is managed either in the Drive and Docs settings or within 'Rules'. The basic sharing settings can allow or prevent a user from sharing files externally. These can be

set at an Organisational Unit (OU) or Group level. It is important to set the permissions that are right for your institution.

Share icon

If you have Google Workspace for Education Standard or Education Plus, you can use Drive Trust Rules to set granular permissions for sharing internally and externally.

It is important to also check the settings for Shared Drives and make sure that they are suitable for your context. Do you allow certain users to make new Shared Drives, and do you allow file sharing from Shared Drives? These, again, can be applied to OU or Group level.

Another approach is to limit which users can be found in an autocomplete share list. For example, you may want students to only see classroom teachers when they start to type a name in the share box. To do this, you need to set up a custom directory. You can set this up in 'Visibility settings' within the Directory settings.

To help sharing further, and you have Education Standard or Education Plus, you can set up Drive Labels and Target Audiences. These features can help the user to prevent excess sharing.

5. Gmail safety

Users can be a target for phishing attacks and malware through their emails. Gmail has a number of settings that can be turned on to protect users from these types of attacks. Within the Gmail settings, you should review the Safety settings and consider turning on the features that will best support your institution. Reviewing the protection around attachments as well as spoofing and authentication is a great place to start. These will

help your users make more informed decisions around opening emails and attachments.

Screenshot - admin console

You should also review the settings within the 'Spam, phishing, and malware' section. Here you can turn on enhanced pre-delivery message scanning that enables improved detection of suspicious content before the email is delivered to your user.

Following these five steps can help to make your Google Workspace Domain more secure. If you wanted to take your cybersecurity further, you could look at gaining

Cyber Essentials or Cyber Essentials Plus. Canopy offers a range of services and support for education institutions to gain these certifications. Get in touch for more information:email us at


bottom of page