A complete guide to Gmail security for your business

By Abhilash Menon
Gmail security cover photo

Gmail holds a huge volume of your information, a lot more than you’d think. Financial statements, passwords, trade secrets — everything is on Gmail in some way or the other.

At the same time, hacking and security breaches are common — again, a lot common than you’d like.

Even giants like Deloitte are not safe from these threats. Not very long ago, email accounts of almost 350 clients, including some of the biggest multinationals, four US government departments, and the United Nations were all compromised. Deloitte is still recovering from it.

Don’t end up like Deloitte. Pay attention to security before something goes down. In this post, we’ll tell you everything you need to make Gmail secure for your business — let’s dive in.

1. Build a security-conscious culture

Expecting teams to be accountable without awareness won’t do much for your Gmail security. You have to first educate members to make the right decisions: whom to give email access permissions, which links to click and which ones to not, using the right device, so on and so forth.

That's why you need to build a culture of cybersecurity awareness so members understand what is the right thing to do when it comes to protecting their Gmail.

Here are four effective ways to build a security-conscious culture at your workplace:

Create information security program

Stephen Nardone, Director of Security and Mobility Practices at Connection believes workplaces should build an information security program. Don’t let the jargon scare you off, it’s just a document detailing the entire approach of how to address security in your work environment.

It’s a manual which will guide team members on:

  • The do’s and don’ts of data security
  • What data should they be seeing at
  • Identifying unauthorized email activities

Essentially, it standardizes Gmail security practices across the length and breadth of the organization.

Make 2-factor authentication mandatory

Google claims it to be its most sophisticated security feature, yet less than 10% users have enabled 2-factor authentication (2FA).

‘Ok! that’s an interesting email statistic, but what’s this 2FA all about?’

A 2-factor authentication adds an extra layer to your Gmail security. Traditionally, you only need a password to access, with 2FA, you need a password and a code which will be sent to your phone. Basically, if the baddies have your password, they still can’t access your emails.

The additional security keeps your Gmail immune to phishing scams. Cybercriminals may get hold of credentials of any of the team members and use it to send emails to everyone on the contact list. These emails contain links, clicking on them, will spread malware from your Gmail to Google Drive — kiss goodbye to all the files stored on the company drive.

 

Gmail security 2 FA

Source

Gamification

Educating about Gmail security is of no use if it’s not put into application. It requires more than a pep talk to motivate teams to follow up on Gmail security best practices. This is where gamification comes into play.

Gamification is the process of using game elements like rewards and competitions to engage users and solve real world problems. The idea of gamification for security was introduced by Mark Stevens, Senior Vice President of Global Services at Digital Guardian. He believed gamification can motivate teams to be vigilant in identifying and communicating threats.

Here’s a gamification model to make team members become a Gmail security Jedi.

The four levels:

  • Youngling - 100 points
  • Padawan - 200 points
  • Knight - 300 points
  • Master -  400 points
  • Grandmaster- 500 points

Every ‘right’ action will fetch members points, taking them a level closer to the coveted Grandmaster Jedi. Incentivize every time a person moves up the Jedi rank. Once they reach the Grandmaster level, offer rewards so they hold onto their position.

Gmail security gamification

* To report phishing emails, you need to have an emergency notification system. It will help members communicate threats as soon as they are detected.


Have regular security workshops

Security workshops can include new updates on latest Gmail security features, policies, and general code of conduct.

But, let’s be honest ‘security workshops’ doesn’t sound fun from any angle. With an attention span of fewer than 8 seconds, members will fail to register much of anything. A lack of knowledge or even a half-baked one can potentially put your Gmail security at risk.

Pushing members to take a keen interest in strengthening Gmail security requires an element of fun. The chances of getting genuine participation from members are higher when there are more smiles than eye rolls.

Here are a few ways to ensure genuine participation from teams:

    • Board games. Take inspiration from board games like Sec Werewolf to raise awareness about Gmail security.
    • Virtual simulations.  Offer interactive ways to learn about Gmail security. They offer greater engagement levels as opposed to a boring ppt.

2. Important Gmail security features you should know

The next time you plan a security workshop, start by talking about the latest Gmail security updates.

June 2017 update

  • Flag and delays suspicious messages. A new algorithm has been developed that delays delivery of potentially suspicious emails. Additional checks are run before delivery of such emails. At the same time, they are validated against your company’s safe browsing feature.
  • Protection against fake emails. Members might respond to malicious emails outside of their workplace network. In such cases, an external reply warning will be displayed. This discourages users from acknowledging such emails, saving them from possible impersonation and other common user-errors.
  • Stronger phishing checks. If a suspicious link is activated, a warning sign will appear. However, this feature is only available for Gmail on Android devices.

October 2017 update

After the world witnessed Hillary Clinton’s email debacle during the 2016 elections, Google wanted to offer additional security to users who are regularly targeted by sophisticated hackers. This led to the launch of the most sort after Gmail security feature ― The Advanced Protection Program.

Under this feature, apart from 2-FA, you would need:

  • A physical USB drive to log in to a desktop.
  • A Bluetooth wireless device for mobile logins.

However, the strict security measures also bring with it a number of hassles:

  • It only works with Google Chrome
  • Account recovery is a stringent process: a bunch of additional steps and several days to recover your Gmail account.
  • It limits access to many iOS third-party apps.

The bottom line is it’s not meant for everybody. If you are a high value target and see the inconveniences worth the effort, only then should you go for it. Otherwise, a simple 2-FA will do the trick.

 

Gmail security advanced protection

Source

January 2018 update

The G Suite Security Centre was introduced to help businesses gain actionable security insights in real time. Monitor email messages that do not meet your Gmail security standards, external file sharing, and attachments which are at risk of causing data loss — all this information on one comprehensive dashboard.

Business can use this information to proactively deal with threats. Moreover, you can use automated recommendations to determine the next course of action.

Source

3. Gmail security against third-party apps

Applications created by vendors other than Google that follow Google Play Store development guidelines are called third-party apps. For a smooth run, these apps need some level of data access. Most businesses are fine with it because the usefulness of third-party apps outweighs the level of data access.

An example of a useful third-party app is Hiver. It lets teams collaborate seamlessly straight from Gmail.

However, allowing data access to malicious apps can compromise your Gmail security. Just ask Snapchat, which revoked certain third-party apps because some developers had wrongfully used the data provided by Snapchatters.

To strengthen Gmail security against unauthorized apps, here’s what you should do:

OAuth app whitelisting

OAuth is a program which allows apps to access your Gmail (and other G Suite apps) without the need for passwords. To take strict measures against apps which defy OAuth guidelines, Google rolled out the OAuth apps whitelisting.

You can whitelist OAuth applications, allowing you to see which apps are accessing your company’s Gmail network. Team members will be able to install and access only those apps which are whitelisted ― preventing unauthorized app installs.

To put it simply, OAuth whitelisting helps you:

  • View third-party apps that are accessing your Gmail data.
  • Access only trusted and vetted third-party OAuth apps.
  • Limit problems caused by shadow IT; information technology solutions used in the workplace without explicit approval.

Review access permissions

When an OAuth whitelist app gets unknowingly hacked, it can make your Gmail security vulnerable. That’s why you need to be updated on what kind of access permission a third party app has. Go through the security policy of the app to review some of the following pointers:

  • Access to email conversations. Apps might temporarily store your emails on a server, but they cannot open or read your emails.
  • Access to your login credentials. Apps are not allowed to store your Gmail username or passwords.
  • Access to your contact list. This is a tricky one. Some apps depending on their functionality may have access to your Gmail contact list. If the app gets hacked, you can become a sweet target for phishing attacks.

 Manage app runtime permissions

If the installed third-party app is attempting to access your emails or any sensitive data, it has to seek permission a.k.a app runtime permissions.

You can customize app runtime permissions by choosing one of the following options:

  • Allow automatically. Provide runtime permission automatically.
  • Deny automatically. Deny runtime permission automatically.
  • Prompt user. Allow the user to choose whether to grant runtime permission.

Gmail security third party runtime

Source

4. Gmail security against team members

A staggering 43% of data breaches are caused by insider threats. Members who have/had access to privileged data can weaken your Gmail security — all with a simple USB drive.

Unlike phishing attacks, there are no systems to detect an insider threat. It's one's own responsibility to prevent the bad guys from stealing data.

Here are four ways to protect your Gmail from insider threats:

  • Define email access. You want to ensure you provide just the right amount of email access to teams. A little less could disrupt the team collaborative efforts. A little more might give members access to data they don’t need to have.

Use Hiver’s Shared labels to choose how much email access you want to give. It lets you easily share emails in specific categories with teams, keeping the rest only for your eyes. Learn more.

  • Audit email activities. Being the admin of Google business emails, you can generate user activity report. Get a macro overview of team email activities that includes the IP address, geographic location, time, and device used to access your Gmail network.

If you want a micro overview of team email activities, try Hiver’s Shared Inbox. Know more

  • Members should sign a legal contract. Non-disclosure agreement brings team members under a legal obligation to privacy, keeping your Gmail security intact. It’s a powerful psychological deterrent; members will be reluctant to share confidential emails if they know they can be sued.
  • Deactivate email access after termination. Whether the separation was mutual or not, deactivate access of the outgoing employee from all email accounts. You don’t want to be in the same position as EnerVest.

Here’s a video which gives you a better idea to detect insider threats.

5. Password management

The old school method of resetting passwords doesn’t do any good if they follow a certain pattern. Since your subconscious has to do a lot with choosing a password, you wouldn't recognize the patterns, but hackers will. It’s no surprise, 65% of passwords can be easily cracked.

To strengthen Gmail security against password thefts, apply these three methods:

  • Get a Password manager. Google Smart Lock feature lets you manage all your passwords at one place, the access to which requires a 2-FA. It makes it convenient to protect your passwords without interfering in your way. Apart from this, there are a number of verified third-party password management apps which keep your login credentials secured.
  • Keep a master Gmail account. Keep a separate email account for highly sensitive information — a master Gmail account. Email conversations dealing with sensitive things like finances, security, trade secrets, and more can be put into this Gmail account with a different password management system. Isolating information in such a way ensure hackers do not get access to privileged information even if they have credentials for other Gmail accounts. 
  • Encrypt Password file. If you are in the habit of keeping a digital copy of your account passwords, you should seriously consider encrypting the file. Use data encryption apps to turn the file into a format which is inaccessible to unauthorized access. 

6. Email encryption 

Email encryption is an important aspect of Gmail security. It involves disguising the contents of your emails with an unreadable code known as ciphertext. This protects sensitive information from being read by anyone other than the intended recipients.

Although TLS automatically encrypts your emails in-transit, here are a few key things you should know about email encryption:

  • Enable HTTP Security. When team members access professional Gmail accounts through public or non-encrypted network, enable your HTTP security from settings option. By default, the HTTP is activated but always check to see if the HTTP option is on or not. This makes it difficult for hackers to find a pathway into your Gmail account.
  • Send encrypted emails. Use Secure email for Gmail plugin to send encrypted emails. It offers additional security when sending emails to recipients who are outside of your Gmail network.

Here’s a video to show just how easy it is to send encrypted emails.

Finally, Gmail security will be your toughest battle yet

In the battle of strengthening Gmail security, hackers are getting the best of you. They have the luxury to try as many times and in as many ways, and they need to be successful only once. On the other hand, you have to identify and stop every attempt.

To keep a strong front against a high volume of coordinated cyber attacks, regularly update your Gmail security knowledge, policies, and tactics. At the same time, ensure none of these create disruption to team collaboration at the workplace. To find the right balance is what makes the battle for Gmail security a tough one to crack.

Hiver can improve your chances of winning this one-sided battle. It allows teams to collaborate within the company's Gmail network, keeping all the information safe under the G Suite security infrastructure.

 

Shared Inbox Ebook

About the author

Abhilash is the content marketer at Hiver. On free days, he's a glorified coffee snob and a passionate blogger. On not-so-free days, he's trying to understand the right perspective when it comes to content marketing.

Comments

Leave a Reply