Webmarks Design & Marketing Webmarks logo

Website Design & Development

Website Design

Web design that preserves SEO and keeps editing simple. Built on Craft CMS or Statamic.

Web Development

Craft CMS and Statamic. Fast, secure sites with clear content models and editor workflows.

Work

Client Results & Case Studies

Non-Profits

Websites for Non‑Profits

About

Dany’s Story & Approach

Guides, Practical Tips & FAQs

Insights

Guides, Tips & Case Studies

FAQ

Answers to Common Questions

Testimonials

What clients say about results

Contact

Get in Touch or Ask a Question

Schedule a call Site en français

Google Workspace flagged security gaps. Your small‑business checklist.

A quick checklist for admins and small teams.

What’s going on

If your organization uses Google Workspace, your admin likely received the email in the screenshot below.

Google Workspace email. Security gaps detected. 2 users missing 2SV.

Google’s notice about security gaps and missing 2‑Step Verification. Sent to domain admins.

This email is your cue to do a quick review in the Admin console and check the essentials. Plan about 30 minutes for the initial settings pass. Start with 2‑Step Verification and recovery options. They deliver the biggest gains.

Why this matters

Phishing is a top attack method. Google reports orgs detected 149K+ phishing emails in a single week. One stolen password can expose mail, files, calendars, and shared drives. The good news is you can reduce risk quickly with a few simple settings.

Time to complete: 30–45 minutes for most orgs (settings pass). Full rollout varies with DNS and user enrollment.

Note: These steps assume you can sign in to the Admin console and locate basic settings.

Small-Business Essentials

Start here. These seven moves are fast and high impact. Most teams can complete these in under an hour.

1. Turn on 2‑Step Verification. Use strong passwords.

  • Require 2‑Step Verification for admins and key users first. Expand to all users when ready.
  • Use unique passwords. Do not reuse business passwords on other sites.
  • Where to set 2SV: Admin console → Security → Authentication → 2‑Step Verification.
  • Outcome: Accounts stay secure even if a password leaks.

2. Recovery ready

  • Add recovery phone and email for admin accounts.
  • Generate and print backup codes. Store them securely.
  • Create a dedicated Super Admin account for admin tasks. Do daily work with a regular user account.
  • Create an additional super admin account managed by a second person, such as your website support specialist or IT provider.
  • Related: Keep Access to Your Google Assets When Moving Email
  • Outcome: You can recover access quickly during lockouts.

3. Safer Gmail defaults

  • Turn on enhanced pre‑delivery message scanning.
  • Turn on advanced phishing and malware protection for attachments and links.
  • Where to set: Admin console → Apps → Google Workspace → Gmail → Safety → Advanced protections.
  • Outcome: Bad messages get flagged or blocked before users act on them.

4. Email deliverability

  • Set up SPF for your domain to reduce bounces and spam flags.
  • Add DKIM and DMARC later when you are ready.
  • Where to set: Admin console → Apps → Google Workspace → Gmail → Authenticate email.
  • Note: SPF changes can take up to 48 hours to propagate. Check results in your DNS and Gmail message headers.
  • Outcome: Legitimate email is trusted and reaches inboxes more reliably.

5. Calendar sharing

  • Restrict external calendar sharing to free/busy only.
  • Where to set: Admin console → Apps → Google Workspace → Google Calendar → Sharing settings. Set External sharing to Free/busy only.
  • Outcome: External viewers see availability, not event details.

6. Drive sharing defaults

  • My Drive: New files are private until shared; files in shared folders inherit that folder’s access.
  • Shared drives: Files inherit the drive’s permissions; manage access at the drive level.
  • External sharing: OFF blocks sharing outside your org; ON allows it with a warning before sharing (recommended for most small teams).
  • Where to set: Admin console → Apps → Google Workspace → Drive and Docs → Sharing settings. Set “Sharing outside your organization” to OFF or ON; if ON, turn on “Warn when files are shared outside your organization.” Set “General access default” to “Private to the owner.”
  • Outcome: OFF prevents external shares; ON with warning allows them while reducing accidental oversharing.

7. Fewer super admins, safer devices

  • Reduce super admins and use least‑privilege roles for daily tasks. Use a separate Super Admin account only for changes, then sign out.
  • Keep Chrome and browsers auto‑updating to get security patches quickly.
  • Outcome: Lower blast radius if an admin account or device is compromised.

Level up later

  • Enable DKIM and DMARC for stronger email authentication.
  • Turn on admin alerts for risky changes like 2SV, routing, or API access.

Implementation notes

Assumption: You have access to, and are familiar with, the Google Workspace Admin console.

Note on timing: 30–45 minutes covers a focused settings pass in the Admin console for small teams. Full rollout can take longer:

  • SPF DNS changes may take up to 48 hours to propagate.
  • 2‑Step Verification requires user enrollment, which can add hours or days depending on team size.
  • Reviewing existing Shared drives and external shares can add time for larger or complex setups.

Need help?

For existing Webmarks clients, I offer a flat‑rate Google Workspace Security Essentials setup for small teams: $195 CAD plus GST for a focused settings pass, up to 90 minutes.

This includes setup, verification, and time for questions. It covers 2‑Step Verification policy, Gmail protections, safer sharing defaults, and SPF. Additional work, like user enrollments, DKIM or DMARC, and shared‑drive audits, is billed at my standard hourly rate.

Non‑profits: $145 CAD plus GST for up to 90 minutes. Same scope and deliverables.

Contact me for more information or to schedule a time.

Otherwise, share this checklist with your IT service provider.

Resources

Filed under Google Workspace on October 6th, 2025.