Google Workspace security for employees

 

 

If you only want to read a specific section of this article, jump to it through these links:

Why are employees and their companies interesting targets for attacks? 

Employees are interesting to attackers because the majority of security breaches are caused by individuals. Out of human error, carelessness, or by accident, we do something – usually, click – that lets the attacker in. Once they are in our personal systems, they can get access to the company systems.

Here are some of the reasons why attackers want to get access to company data:

💸 Money
💣 Sabotage your employers' or customers' reliability
🤫 Access to your employers' or customers' confidential information
💿 Collect data
💀 Random or societal destruction or incapacitation

An attack usually starts from one person or employee. The target is not one person individually. The goal is to get access to the organization’s systems, and through there to customers and service providers. In the worst-case scenario, the attack can spread to the entire society.

Here are some examples of cyber attacks in recent years:

 

How to recognize an attack?

Information security attacks often start with social engineering. 

This social manipulation can happen in various other channels: emails, phone calls, text messages, etc. What the attackers try to do is to get you to trust them, which then turns into manipulating you into giving them money, access, or data.  

For example, the attackers can create fake profiles on Linkedin and Facebook. They send you a contact request from this fake person. Having real people as connections gives the fake account legitimacy. Hackers use fake accounts to deliver their scams.

Types of attacks – doors into the system

Here are some of the most common ways attackers use.

  1. Phishing: trying to get you to do something you don’t want to do
    • Spearfishing – usually targets a group of employees in a company
    • Whaling – a very targeted attack usually on senior-level employees in a company
    • Vishing - phishing is done via phone calls
    • Impersonation – e.g. fake accounts on social media channels
    • Smishing – phishing is done via text messages
    • API-phishing
       
  2. Malware
    • An attacker gets in through phishing and then plants malicious software that spreads in the system, usually incapacitating it

    • Ransomware – malicious software, that locks up your data or device and threatens to keep it locked unless you pay the attacker a ransom.

  3. Compromised passwords
    • Decoding your passwords to gain access to your accounts

  4. Encryption issues & misconfiguration
    • Encryption issues – encryption scrambles readable text so it can only be read by the person who has the secret code, or decryption key. If this process has issues, it makes the system vulnerable.

    • Misconfiguration – an application component is vulnerable to attack as a result of glitches, gaps, and errors during configuration

  5. Unpatched software
    • Applications or systems that contain vulnerabilities that have not yet been fixed through updates or patches.  

  6. Physical
    • This happens in the “real world”. Hackers could be listening to a company’s employees in cafes or events. They try to overhear any information that could help them to attack the employees online later. Or it could be that the electrician at the office was not an electrician after all.

Ways to mitigate - 8 things you can do to keep things safe

Even though your organization would have top-notch security configurations and operations,  you are an important link in the security chain. And there are several things that you need to know and do to keep you and your company safe. Here are some of the most important ones.

Prefer two-factor verification in all services

Why?
Two-factor verification gives good protection against basic phishing. 
Two-factor verification is enforced on your Google account, but Google is not the only service where confidential information is stored at. 

How to check if this is on in Google?

  1. Go to myaccount.google.com/security
  2. If 2-step verification is off, you will see this:

    Screenshot 2023-05-23 at 17.50.15

  3. Click on the arrow on the right-hand side and it will take you to a page below. Click Get Started and follow the instructions

    Screenshot 2023-05-23 at 17.54.04

Use password programs

Humans are essentially lazy creatures: we tend to use the same or very similar passwords in different services. If attackers have some of your login details, they will try them on other services. If you’ve used the same password, you open the doors to attackers. And figuring out passwords is not that hard for attackers. 👇

Screenshot 2023-03-16 at 14.19.34Image source: Hive systems

This is why you have to give different passwords to different services. To help remember the multiple passwords you have, you can use password programs.

Password programs store all your passwords securely and give you easy access to them. You don’t have to remember dozens of passwords or reuse a few passwords over and over again across different sites. Do remember to safeguard your password program or otherwise, that’ll become the weak link.

Perform Google password checkup

Why?

If you’re using Google Chrome to store your passwords, the password checkup is a good way to see whether your passwords have been compromised or reused.

How to check?

  1. Go to passwords.google.com/checkup
  2. Click ‘Check passwords’. If you have saved passwords, you will see something like this:

    Screenshot 2023-03-16 at 14.22.26
  3. Act upon yellow and red alerts

Report phishing messages

You don’t receive all phishing messages that are sent to you because most of them get filtered or erased from your system before they get to your inbox. But sometimes phishing messages find their way to you.

If that happens, here’s how to report them:

  1. Open the mail - don’t worry, nothing happens yet. Just don’t click anything in the message.
  2. Click the three dots in the upper right corner of the message. Click on report phishing or report spam. It will google and your own organization’s ICT  to collect and learn from them. 

Screenshot 2023-03-29 at 9.56.04

If you open some links, be quick and report it. Contact IT support. Don’t hesitate to ask if you think you have done something wrong. Better to ask quickly rather than wait and see what happens.

When you get a message that you suspect is phishing, evaluate the message as a whole. 

Look carefully at:

  • The title
  • Sender
  • Subject
  • Attachments
  • Links

Do any of these look legitimate? Is there something weird about them? Does it look like it has come from a legitimate company or person? There might be only small differences in the senders' addresses from the legitimate ones. Check it and check with your colleague. 

Read the warning messages

Whenever Gmail sends you a warning, read what the warning says and act upon it. Don’t just delete. Read them and think: what does this mean? Warnings always appear for a reason and you should always read, understand and act upon them. 

The warnings look like this:

Screenshot 2023-03-29 at 10.24.07

 

Keep applications and operating systems up-to-date

Why? 
Attackers are constantly searching for zero-day vulnerabilities. 

How to safeguard against it?
Update apps and operating systems on all devices when prompted. Do not move all the updates forward, act as soon as you can. Only install the apps and software you need.

Updating doesn’t solve all the problems but the more up-to-date your system is, the fewer cracks there are for the attackers to use to get into your system.

Pay attention to 3rd party access requests

Why? 
Modern tools are built on APIs. Attackers can use APIs to gain harmful access as well by tricking the user to give access to malicious third parties. 

How?
Read the API access requests and make sure the request aligns with what you are trying to achieve. You have to know what the granting of permissions and rights means.

Screenshot 2023-05-18 at 10.06.49

Share information in a smart way

Why?
When your general settings are tight and infrastructure is solid the most likely data leak is overshared information or sharing information by accident. 

How to safeguard against it?
Internally use groups for sharing and stick with folder structures. Externally favor direct sharing and use timed sharing when possible. Be cautious with access requests.

How to share securely in Google Drive?
The safest way to share is to share with one person or a group. Then you know to whom you are sharing the file.

Data management: by default, all your work-related files and all the stuff you need in your work should be in the drive. Don't download anything to your computer. 

Whenever you share something in Drive, think about what levels of rights you want to share. Remember: you don’t have to give rights forever. 

Membership levels in Google Drive:

Screenshot 2023-05-23 at 18.09.44

Perform Google security checkup

Why? 
It is an easy and guided way to make sure security settings are in order. You can run this check and what level your security is on your Google account. 

How to do it?

  1. Go to https://myaccount.google.com/security-checkup. You will see something like this:

    Screenshot 2023-03-29 at 11.18.13

  2. If you have no issues to resolve, all the checkmarks will be green. In this case, there is an issue with 2-step verification. Clicking on the down arrow will show you what the specific issue is and guide you to resolve it.
  3. Follow the guide until you get ‘No issues found’.

You should also check other settings in your Google Workspace.

 

Bonus tips for information security in remote work

Networks
Use only secure networks and use a VPN connection if your company recommends one. You should not connect your device to a network you cannot trust. Use your own phone’s connection. 

Make sure the wireless WLAN network in your home is protected by a password and the routers etc are up-to-date, and only use that. Don’t open your WLAN to everyone. 

Devices
Use the tools provided by your organization. The data security of your own devices is not maintained as consistently as your organization’s devices. 

Conversations out in the open
Only talk about work in places where bystanders cannot hear the conversation. Outsiders don’t need to know what you or your colleagues do. 

Mobile phones
Use security codes, always lock your screens and block the notifications that appear on the phone. It is not for everyone's eyes to know if your CEO has done something. Enable clearing the mobile phone data remotely. If you lose the phone, you can still clear it. 

Laptops
Make sure others cannot see your computer screen. Use protective film to darken the screen. Don’t leave your computer and phones unattended. Minimize the amount of information you store locally on your computer and prefer storing everything in the cloud.

Remember: security starts with you

The main thing to remember is to keep your things safe. By keeping your stuff safe you prevent the attackers from flowing through your organization. When the basics of Google accounts are under control, it is a good idea to systematically invest in the further development of security. And if you want to be absolutely sure your Google Workspace is safe, you can let it be managed by a partner

 

Subscribe to the Future of Work newsletter ✉️

Get a monthly overview of the most interesting news and resources that prepare you for the next steps of efficient, human-led working.

Subscribe now