Google Workspace Security Checklist: What Philippine Businesses Skip in Admin Console
Google Workspace ships with defaults optimised for accessibility and ease of adoption, not for security. For Philippine businesses operating under RA 10173 (Data Privacy Act), BSP technology risk management guidelines, or contractual data handling requirements, the defaults need to be tightened before Workspace is used for business data.
This is the Admin Console security checklist — what to configure, in what order, and why each setting matters. For the complete Workspace setup guide, see our Google Workspace Admin Setup Guide.
1. Enforce 2-Step Verification for All Users
Admin Console path: Security → Authentication → 2-Step Verification
Default: 2SV is available but not enforced — users can skip it.
The risk: Without enforced 2SV, a stolen or phished password gives an attacker complete access to the user's Gmail, Drive, and all Workspace apps. Business email compromise (BEC) attacks targeting Philippine businesses frequently succeed because 2SV is not enforced.
Configuration:
- Set enforcement to "On" for all users
- Set "Enforcement date" (allow a grace period of 1–2 weeks for users to enrol)
- Under "Methods allowed," select "Any" to allow Authenticator app, SMS, or hardware key — but communicate that the Authenticator app is preferred over SMS (SIM swap risk)
- Consider requiring "Security keys only" for admin accounts
2. Tighten Drive Sharing Settings
Admin Console path: Apps → Google Workspace → Drive and Docs → Sharing settings
Default: "Anyone with the link" sharing is permitted — files can be shared with the public internet without sign-in.
The risk: Staff share Drive files via "Anyone with the link" for convenience. These links persist indefinitely, work from any network, and provide no audit trail of who accessed the file.
Configuration for Philippine businesses:
- Sharing outside your organisation: Set to "Off" or "Allowed for specific domains only" if you regularly share with known partners
- Default link sharing: Change from "Anyone with the link" to "Restricted (only people explicitly added)"
- Warn when sharing outside organisation: Enable — users see a confirmation dialog before sharing externally
- External sharing from Google Sites: Disable if not needed
3. Configure Session Duration
Admin Console path: Security → Google session control
Default: Google sessions persist for 14 days — a user who signs in does not need to re-authenticate for two weeks.
The risk: A device that is lost or stolen retains active Google Workspace sessions for up to 14 days. During this window, the finder/thief has full access to Gmail, Drive, and all connected apps.
Recommended configuration:
- Web session duration: 8 hours for standard users (forces daily re-authentication during work hours)
- Admin accounts: 4 hours maximum (shorter session for highest-privilege accounts)
- When to use "Never re-authenticate": Only for specific service accounts or devices in controlled environments
4. Enable and Review Audit Logs
Admin Console path: Reporting → Audit and investigation
Default: Audit logging is on, but not reviewed. Retention is 6 months for most events.
What to monitor for Philippine businesses:
- Admin activity log: Every admin console change — adding users, changing permissions, modifying settings — is logged. Review weekly.
- Drive audit log: File access, sharing events, deletion. Critical for NPC breach investigations — you need to know who accessed what files and when.
- Login audit: Failed logins, logins from unusual locations, logins from unrecognised devices. Spike in failed logins = brute force attempt.
- Gmail log: Email forwarding rules created (a common BEC persistence technique — attacker creates a forwarding rule to copy all email to an external address)
Configure alerts: Admin Console → Reporting → Manage alerts → Enable alerts for admin login, suspicious login attempts, and email forwarding rules created.
5. Configure Context-Aware Access (Business Plus and above)
Admin Console path: Security → Access and data control → Context-Aware Access
What it does: Enforces access policies based on device compliance, network, and user context — similar to Microsoft's Conditional Access. Only enrolled, compliant devices can access specific Workspace apps.
Recommended policies for Philippine businesses:
- Require device management enrolment for access to Drive and Gmail from desktop
- Block access from countries outside the Philippines (and any countries where your staff work remotely)
- Require Google Workspace account sign-in (block personal Google accounts from accessing company resources)
6. Enable Data Loss Prevention (Business Plus and Enterprise)
Admin Console path: Security → Access and data control → DLP rules
What it does: Scans outbound Gmail and Drive content for sensitive data patterns — Philippine SSS numbers, credit card numbers, personal email addresses in bulk — and blocks or alerts when detected.
Starting configuration:
- Create a rule: scan outbound Gmail for Philippine TIN number pattern, alert admin when detected
- Create a rule: block external Drive sharing of files containing bulk email addresses (over 10)
See our Data Loss Prevention guide for the full configuration approach.
7. Endpoint Verification and Device Management
Admin Console path: Devices → Mobile & endpoints → Setup
What it does: Requires devices to register with Google Endpoint Verification before accessing Workspace. Allows remote account wipe from managed apps without wiping the personal device.
Minimum configuration:
- Enable Endpoint Verification (available in all paid plans)
- Enable "Require approved devices" for Drive and Gmail access (Business Plus and above, via Context-Aware Access)
- Configure remote wipe capability for all enrolled mobile devices
8. Review Third-Party App Access
Admin Console path: Security → Access and data control → API controls → Manage third-party app access
Default: Users can grant any third-party app access to their Google Workspace account by clicking "Allow" in an OAuth prompt.
The risk: A phishing campaign using a malicious OAuth app can gain access to a user's Gmail and Drive without needing their password — the user clicks "Allow" in a legitimate-looking Google consent screen.
Configuration:
- Set to "Restricted" — only admins can approve third-party app access
- Audit the existing approved apps list and revoke any that are no longer used or unrecognised
Admin Console Security Checklist Summary
| Setting | Location | Priority |
|---|---|---|
| Enforce 2SV for all users | Security → Authentication | Critical |
| Restrict Drive external sharing | Drive and Docs → Sharing settings | Critical |
| Shorten session duration | Security → Session control | High |
| Enable login/Drive/Gmail alerts | Reporting → Manage alerts | High |
| Configure Context-Aware Access | Security → Access and data control | Medium |
| Enable DLP rules | Security → DLP | Medium |
| Enable endpoint verification | Devices → Setup | Medium |
| Restrict third-party app OAuth | Security → API controls | High |
Related reading: Google Workspace Admin Setup Guide · Data Loss Prevention Philippines · AI data privacy guide · MDM Philippines
For Philippine organisations configuring Google Workspace security in the Admin Console, get in touch.
Talk to our Cloud & I.T. team →
