Google Workspace Security Audit: The 8-Point Self-Check for Small Business

If the last time you looked at your Google Workspace admin console security settings was the day you set up the account, this is for you. Most small businesses we audit have at least three “huh, didn’t know that was on” findings inside the first 15 minutes. None of these are catastrophic on their own. Stacked together, they’re how breaches happen.

This is the 8-category self-audit we use as a first pass on every customer review. Block out 30 minutes, open admin.google.com, and work through it honestly. You don’t need to fix anything today - the point of the audit is to know where you stand.

Want a deeper review with someone who’s seen the inside of a few hundred SMB Workspace tenants? The Workspace Advance Audit covers everything below plus a written remediation plan. Fixed price, two-week turnaround.

The 60-Second Answer (Quick Answers)

Q: What should a Google Workspace security audit cover?
A: At minimum: multi-factor authentication enforcement, OAuth third-party app access, external file-sharing settings, admin account count and role assignments, account recovery options, mobile device management, login activity review, and Vault/data retention. For SMBs, the highest-value finding is usually in the first three - MFA, OAuth, and share sprawl.

Q: How often should I audit Google Workspace security?
A: Quick check (15 minutes) every quarter. Full audit (the 8 categories below) once a year, or after any of: a staff change in IT, an acquisition, a major employee departure, or an actual security incident. Critical changes (new admin, new domain, new SSO) deserve a same-day spot check.

Q: Is the Workspace admin console enough, or do I need a third-party tool?
A: For most SMBs under 50 users, the admin console + Google’s security dashboard is enough. Third-party tools (SaaS security posture management, identity governance) become worth the budget around 100+ users or when you have compliance obligations (HIPAA, SOC 2). Below that, a thorough manual audit is the right move.

Q: What’s the most common Workspace security finding in small businesses?
A: A super admin account that’s actually a shared inbox - [email protected] or [email protected] with the password in a shared password manager, no MFA, and three or four people who can log in. Close behind: OAuth apps approved years ago that still have full Drive access.

Why Self-Audit Matters Before You Hire Someone

Two reasons.

First, if you walk into an engagement with a third party already knowing your top 3 - 5 issues, the conversation moves faster and you spend money fixing instead of discovering.

Second, the small stuff doesn’t need a consultant. If you’re going to enable 2-Step Verification enforcement, that’s a 90-second admin console change. You don’t need to pay for a five-figure security assessment to do it.

We’ve been doing Workspace setup and admin support for over 15 years. The audit checklist below is built from that pattern of what actually catches small businesses out - not from a generic compliance template.

The 8-Category Self-Audit

Work through each category in order. Each one tells you what to check, where to find it in the admin console, and the “red flag” patterns we see most often.

1. Multi-Factor Authentication (2-Step Verification)

Where to check: Admin Console → Security → Authentication → 2-Step Verification.

What good looks like: 2-Step Verification is enforced for all users, with a small grace period for new hires. Methods allowed: security keys (best), Authenticator app, then SMS as a fallback only. “Any” should not be your only setting.

Red flags:

• 2SV is set to “Allow users to turn on 2-Step Verification” but not enforced. This means people who haven’t set it up are still logging in with passwords only.
• Backup codes have been generated but never reviewed.
• Admins are exempt. Admin accounts are the most valuable to attackers - they should have stronger MFA, not weaker.

Quick win: If 2SV isn’t enforced, enable enforcement for everyone except super admins, with a 30-day grace period. Then sort out the super admins separately with security keys.

2. OAuth Third-Party App Access

Where to check: Admin Console → Security → API Controls → App Access Control.

What good looks like: Third-party app access is restricted. Trusted apps are explicitly allowlisted. Users get prompted (or blocked, depending on your posture) before they can grant Drive/Gmail access to a new app.

Red flags:

• “Trust internal, third-party apps” is unrestricted, meaning any user can grant any app access to their Workspace data.
• An app you don’t recognise has Drive scopes for the whole company.
• An ex-employee’s “shadow IT” app from three years ago is still active.

Quick win: Pull the list of all approved apps. Anything you don’t remember saying yes to gets revoked. Set new app access to “Restricted” by default.

3. External File Sharing (Drive Share Sprawl)

Where to check: Admin Console → Apps → Google Workspace → Drive and Docs → Sharing settings.

What good looks like: Files can be shared externally, but external users have to sign in (no anonymous “anyone with the link” by default). Warnings appear when sharing externally. Trusted external domains (clients, contractors) are listed explicitly.

Red flags:

• External sharing is “On” with no domain restrictions and no warnings.
• “Allow recipients to share, forward, or copy” is on for sensitive content.
• A drive search for is:starred -from:me (across the org) finds 50+ docs shared anonymously.

Quick win: Even if you don’t lock down sharing, turn on the warning prompt. Users see “you’re sharing externally” before clicking, which catches 90% of accidents.

4. Admin Account Hygiene

Where to check: Admin Console → Account → Admin Roles → Super Admin (and other admin role lists).

What good looks like: 2 - 3 super admins, each as a named human (not [email protected]). Each one has a security key as primary 2SV. Admin actions for the past 90 days look reasonable and traceable.

Red flags:

• Only one super admin and they’re on holiday.
• The super admin is a shared mailbox.
• Five or more super admins on a 15-person team.
• An ex-employee still has super admin (this happens more often than you’d think).
• “Groups Admin” or “User Management Admin” roles assigned to non-IT staff for one task three years ago.

Quick win: Run the report at Admin Console → Reports → Audit and Investigation → Admin log events. Look at the last 30 days. Anything you can’t explain is a question to ask.

5. Account Recovery Options

Where to check: Admin Console → Security → Authentication → Account recovery.

What good looks like: Recovery email and phone are required for every account. Admin-managed recovery for super admins is enforced. Users can’t bypass recovery setup.

Red flags:

• “Allow super admins to recover their account on their own” is on, with recovery email pointing to a personal Gmail.
• Users have skipped the recovery step at signup.
• Recovery contacts haven’t been updated since the year the company was founded.

Quick win: Push a notification to all users to verify their recovery details. The Admin Console can prompt them on next sign-in.

6. Mobile Device Management

Where to check: Admin Console → Devices → Mobile and Endpoints.

What good looks like: Mobile devices are at least under “Basic Management” - meaning a lost phone can be remote-wiped of work data, and a password on the device is required to access mail. “Advanced” gets you full MDM with app distribution and remote control.

Red flags:

• No mobile management at all. Anyone with a Gmail app on a personal phone can read company mail forever, regardless of whether they still work for you.
• “Basic” is configured but only a few users have actually enrolled.
• Lost-device incidents in the last year that you weren’t able to remotely wipe.

Quick win: Enable Basic Mobile Management. It’s included in all Workspace plans. Then enrol the leadership team’s phones first - they’re the most likely target and the most likely to have sensitive data cached.

7. Login Activity & Suspicious Sign-Ins

Where to check: Admin Console → Reports → Audit and Investigation → Login events.

What good looks like: Sign-ins concentrated in expected countries and IPs. No “successful login from new country” events you can’t explain. Failed login spikes investigated.

Red flags:

• Successful sign-ins from countries where no staff are based.
• A single user with sign-ins from 5+ different countries in a week (could be VPN, could be compromise).
• Failed login attempts in the hundreds for any single account - that’s a credential stuffing attack.

Quick win: Set up an admin email alert for “suspicious login activity” (Admin Console → Reports → Manage alerts). It costs nothing and tells you in real time.

8. Vault, Retention & Data Loss Prevention

Where to check: Admin Console → Apps → Google Workspace → Vault (if you have Business Plus or higher).

What good looks like: A documented retention policy for mail and Drive. Legal hold capability set up before you need it. DLP rules for the obvious risks (credit card numbers, SSNs, anything regulated by your industry).

Red flags:

• Vault is licensed but never configured - you’re paying for capability you can’t use.
• No retention policy, so when an ex-employee deletes their inbox on the way out, those emails are gone for good.
• DLP is off entirely on a Business Plus plan.

Quick win: Even with no other DLP rules, turn on Vault retention for mail. Default to “retain forever” if you don’t know what your industry requires - easier to dial back later than to recover lost mail.

Scoring Your Audit

For each of the 8 categories, score yourself:

• Green - set up correctly, recently verified, no obvious gaps.
• Yellow - exists but has gaps, or hasn’t been reviewed in 12+ months.
• Red - not configured, default settings, or active concerns.

0 - 2 Reds: You’re in better shape than most SMBs. Run the audit again next year. Fix the Yellows opportunistically.

3 - 5 Reds: You have a backlog. Pick the top two highest-impact gaps (usually MFA enforcement and OAuth app review) and close those in the next 30 days. Schedule the next audit for 90 days out, not a year.

6+ Reds: You’re carrying real risk. This is the point where DIY stops being the right answer - the time to fix is more than the time to bring someone in who’s done it before.

What to Fix First (Whether You DIY or Get Help)

If you’re going to do only one thing this week:

Enforce 2-Step Verification. It’s the single biggest reduction in compromise risk you can make. Three minutes of admin console clicks. Sets you ahead of most SMBs we audit.

If you’re going to do two:

MFA + OAuth app review. Revoking unused third-party app access closes the “old SaaS tool still has Drive scope” hole that quietly accumulates over years.

Three:

Add account hygiene - at minimum, confirm your super admin count is sensible and every super admin has a security key, not just an authenticator app.

When DIY Isn’t the Right Move

Three signs you should get someone external in:

1. You have a compliance obligation (HIPAA, SOC 2, ISO 27001). Self-audit isn’t enough evidence. You need a documented process and written findings.
2. You’ve had an incident - a phishing victim, a suspicious login you can’t explain, an ex-employee dispute over data access. Get an external pair of eyes on what happened.
3. You scored 6+ Reds and don’t have anyone in-house who’s run this fix-list before. The longer it stays open, the more it costs to close.

The Workspace Advance Audit is the fixed-price option. We cover every category above plus the deeper checks (DKIM/SPF/DMARC, Vault rule design, conditional access posture), then deliver a written report with prioritised remediation. If you just need the entry-level version, the Workspace Basic Audit covers the top 5 categories at lower cost.

Related Resources

• How to Set Up a Custom Email Domain - domain architecture often comes up during security reviews.
• How to Change Primary Domain in Google Workspace - companion to the rebrand-and-security planning conversation.

Key Takeaways

• Most SMB Workspace tenants have 3+ medium-severity findings that the owner doesn’t know about.
• The highest-impact wins are usually in the first three categories: MFA enforcement, OAuth third-party app review, and external sharing controls.
• Quarterly 15-minute spot checks beat once-a-year deep dives - drift happens fastest in the first 60 days after a staff change.
• For teams under 50 users, the admin console + a structured self-audit is sufficient. Above that, or under compliance obligations, bring in a written assessment.
• Super admin accounts and OAuth tokens are the two areas where neglect compounds - they almost never get worse on cutover day, but they almost always get worse over years.

Want this run for your business? The Workspace Advance Audit covers all 8 categories above plus DLP and email authentication, with a written remediation plan. Fixed price.