Community IT Innovators Nonprofit Technology Topics

Securing Google Workspace for Nonprofits with Steve Longenecker pt 1

Community IT Innovators Season 7 Episode 46

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 35:07

In the first part of this two-part conversation taken from a webinar, Carolyn Woodard and Steve Longenecker, Director of IT Consulting at Community IT Innovators, walk through the security settings, risks, and first steps nonprofits need to know to get the most out of Google Workspace's free nonprofit tier.

Google provides a genuinely secure platform, but security is a partnership. Steve explains that the risks nonprofits face in Google Workspace rarely come from Google's infrastructure and almost always come from the configuration decisions made on the customer side. 

Whether your organization has been on Google for years or just signed up, there are settings in the admin console right now that deserve your attention.

Steve and Carolyn cover:

  • Why Google Workspace is a strong platform for nonprofits and what the free nonprofit tier includes, including where it stops and paid tiers or third-party tools pick up.
  • 2SV (two-step verification) is Google's term for MFA Multi-Factor-Authentication, and enforcing it for every user account is the single most important step you can take.
  • How phishing, email spoofing, and business email compromise play out specifically in nonprofit environments, and what DNS settings like DMARC and DKIM do to reduce your exposure and protect your organization.
  • Why shared and generic accounts create MFA blind spots, and how Google Groups can be a cleaner alternative for shared inboxes like info@ or donations@.
  • The risks of unmanaged personal Google accounts, inactive user accounts, and overly permissive admin privileges, and how to find and address them in the admin console.
  • Why migrating from My Drive file sharing to Google Shared Drives is a security and governance upgrade, and why it's worth planning carefully before you start.

Resources Mentioned

_______________________________
Start a conversation :)

Thanks for listening. 


Carolyn Woodard

Hello, everyone. Thank you for joining us at the Community IT webinar, Securing Google Workspace for Nonprofits with Steve Longenecker.

Carolyn Woodard

Google Workspace is one of the most widely used platforms in the nonprofit sector. And the free nonprofit tier gives organizations a really powerful set of tools. But how secure is it? Steve is going to walk through the security settings and practices that are available to nonprofits in the free Google Workspace tier and share guidance on when it makes sense to consider upgrading to a paid tier for more advanced security features or using some third-party tools depending on your nonprofit's risk profile.

Carolyn Woodard

My name is Carolyn Woodard. I am the outreach director for community IT and the moderator today. I'm very happy to hear from our expert, but first I want to go over our learning objectives. So

Carolyn Woodard

Today we're going to focus on these themes. So is Google Workspace inherently secure or insecure? What is Google Workspace's Workspace's nonprofit tier and what securities does that include? What are the biggest risks nonprofits face in Google Workspace? And what actions can you take now to reduce those risks? And when should you look beyond the nonprofit tier? And what should be your first steps? And now I would like to let Steve introduce himself.

Steve Longenecker

Hi, I'm Steve Longenecker and I'm the director of IT Consulting at Community IT. I am coming to you from sunny, beautiful Washington, D.C. Today. I'm a longtime resident of Washington, D.C., which is, I guess, Community IT's hometown. But I am a Google Workspace - I can't remember what they changed the name of the certification when I recertified. I'm not sure it's called engineer anymore, but I'm a workspace administrator or something.

Steve Longenecker

I'm a certified Google Workspace Administrator. And um and I've been working with our clients that have Google um as their as their primary uh productivity platform for a long time. So I'm looking forward to having this discussion with everyone.

Carolyn Woodard

I'm so glad that you're with us, Steve, because I know in our office when we have Google questions, you're one of our um great fountains of wisdom. So very happy to hear what the best practices are for security on Google Workspace, because I think that is a question that people ask a lot. Um,

Carolyn Woodard

Before we begin, if you're not familiar with community IT, I'm going to tell you a little bit more about us. We are a 100% employee-owned managed services provider. We provide outsourced IT support and we work exclusively with nonprofit organizations. Our mission is to help nonprofits accomplish their missions through the effective use of technology. We are big fans of what well-managed IT can do for your nonprofit.

Carolyn Woodard

We serve nonprofits across the United States, although we did start in DC, as Steve said. We've been doing this for 25 years. It's our 25th anniversary this year.

Carolyn Woodard

We are technology experts and are consistently given the MSP 501 recognition for being a top MSP, which is an honor I can announce. We just received again last week for 2026. So we don't have the logo yet that says 2026 on it, but we did, we're on the list again. And we believe that we're one of the only MSPs on the list that serves nonprofits exclusively. So

Carolyn Woodard

I want to remind everyone that for the sake of these presentations, we're vendor agnostic. We only make recommendations to our clients and only based on their specific business needs. And we never try to get a client into a product because we get an incentive or a benefit from that. We do consider ourselves a best of breed IT provider. So it's our job to know the landscapes, the tools that are available, reputable, and widely used. And we make recommendations on that basis for our clients based on their business needs, their priorities, and their budget.

Carolyn Woodard

We did get a lot of good questions at registration. So we're going to try and answer as many as we can today. We only have an hour. So anything we can't get to, please join us and Steve today after the webinar on our Reddit channel at r slash nonprofit IT Management. We're going to continue answering some questions over there for about 30 minutes after this webinar. And then if you have more questions that didn't come up or didn't think about them, just pop them in that thread and we'll be checking in for the next couple of weeks to see what we can answer.

Carolyn Woodard

A little bit more about us. Our mission is to create value for the nonprofit sector through well-managed IT. We also identify four key values as employee owners that define our company: trust, knowledge, service, and balance. We seek always to treat people with respect and fairness, to empower our staff, clients, and sector to understand and use technology effectively, to be helpful with our talents, and we recognize that the health of our communities is vital to our well-being and that work is only a part of our lives.

Carolyn Woodard

So now we are going to jump into our first poll. All right. So the first poll is attention. How much attention does IT security get at your organization? And your answers, possible answers, are too much. It makes it hard to do our jobs, and we have to log in every time we want to do something else. Number two is just right. My organization takes security seriously and our actions show it. Number three is not enough. We say it is important, but I worry we have holes in our approach. And number four is none, and that scares me. And number five is not applicable.

Carolyn Woodard

And you are anonymous in this poll, so um you can feel free to be honest. And if you're here because you are concerned about cybersecurity, you're in the right place. And

Carolyn Woodard

Steve, can you see that?

Steve Longenecker

I can.

Carolyn Woodard

All right. Could you let us know what the answers were?

Steve Longenecker

Yes, I will do that. So uh uh we had 40 people uh voting, um, and just two, five percent um uh chose that too much um option. I did want to put that on there because I do think it is possible to give too much attention to security. So uh it it can happen for sure, where it just gets it just makes it impossible. But I'm I'm really pleased that we had um a good third of the people saying just write. Um that's wonderful. And then uh about half were were concerned that um not enough is being done. Maybe, maybe it's uh a good game is being talked. And then uh five people said none at all. And that obviously scares them.

Carolyn Woodard

Yeah, yeah. And I think that's one of the things that we run into with Google Workspace is that you can set it up yourself and then you're not sure what you have done for security. So um again, no shame. Like if that's you, you're in that um boat, you've come to the right place, and we have a ton of cybersecurity resources on our website as well, which I will share in the chat later.

Carolyn Woodard

But right now we're gonna hand it over to Steve. You're gonna talk a little bit about that first question. Is Google Workspace secure or unsecure?

Steve Longenecker

Yeah. Um, and I think it is important to start with the fact that I would say Google Workspace, the platform, as far as it goes, is very secure. Google spends a lot of money on that. They make sure that their data centers are secure. Um, there's encryption in transit and at rest. They have great uptime. Compared to like back in the day when you might have had uh a Microsoft small business server in a nonprofit's IT closet, uh, this is a lot better now. There's just a lot less chance of things going dramatically wrong, which is what security is really all about than there used to be.

Steve Longenecker

That said, I will say that Google is a little different than Microsoft in that, at least for people who are running in Windows, um, Windows is part of the Microsoft uh family, like that Microsoft makes Windows, they make Microsoft 365, um, and they are sort of Microsoft sort of specializes in having this stack where everything from identity to file security to email security to device device security is sort of covered in one integrated place. And that that can be very helpful, particularly for smaller nonprofits that can't invest in sort of a best of breed approach. Um,

Steve Longenecker

Google is, I think, quite secure when it comes to email files, the things that are in Google Workspace. And it's not that you can't do any device management in Google Workspace, but we don't really see it that often, um, unless it unless we're talking about managing Chromebooks, in which case, uh, Google is very strong at managing Chromebooks in Google Workspace, and uh that's a very secure solution often.

Steve Longenecker

But the other thing about Google Workspace Security is that even though Google does a good job of like making its platform secure, it is a partnership. And so that's where we sometimes see insecurities emerge in is on the is on the other side, the the customer side. If you're not enforcing good password policies, if you're not um doing your part uh with configurations and so on, which is what this whole you know webinar is about, then uh it's not gonna be secure.

Steve Longenecker

So actually, there's this analogy that I have in my notes, I should say, you know, think of it as like Google providing a very secure building, but they don't get to control the key. The key they give the key to you, and it's you that are like in charge of the key. And if you're opening the door for strangers, that's a problem.

Carolyn Woodard

Yeah, what is Google going to be able to do about it? Exactly. Um, so we wanted to show um this nonprofit tier, and um, I'm hopeful that everyone on the webinar like knows that there's uh nonprofits sign up for Google Workspace and there's you know special pricing and all of the discount there. Um and

Carolyn Woodard

Steve, we were gonna just kind of briefly - I was surprised, not knowing very much about it, how many security features are included in that nonprofit tier.

Steve Longenecker

Yeah. The nonprofit tier is really exceptionally generous. Um, and it's a reason that I think a lot of of especially uh newer and and um smaller nonprofits start out in Google. It's pretty easy to set up. They make a lot of the tooling um pretty intuitive. They have really great and and sort of easy to understand documentation for administrators. And yeah, it's a it's a solid and and it's the nonprofit tier is free. You know, it's not like discounted, it's free, which is it's just an amazing um option that uh we, you know, we appreciate. Um, so yeah, this slide,

Steve Longenecker

I'm not gonna read all the different things, but like the number of things that Google includes in that free tier is is uh really impressive. And as we'll talk about later, um some of the things that I would say are the next layers that you need, probably you wouldn't pay Google for. They'd be more third-party um layers. And we'll we'll talk about that. But it is a nice collection of things.

Steve Longenecker

Now, there is is everything included? No, but that's kind of the way all of these platforms work. You know, they tend to have tiers and they want, they want, they're happy to move you up up the the chain for more functionality.

Carolyn Woodard

Yeah, but it's good to know that at that nonprofit level, you you get a lot. Um,

Carolyn Woodard

I want to move on and um talk a little bit more about definitions. So um, we find a lot of people, I myself am not like very technology oriented. And so when you're dealing with technology at your nonprofit, you may feel like you don't know the lingo. You might be dealing with an IT provider who uses a lot of lingo without explaining it. Um, we wanted to go over some common terms and demystify what we can.

Carolyn Woodard

We don't have time to go over everything that's on this slide, but I'm gonna put it all in the transcript. So you'll get a link that links back to the transcript, and we'll put the little, you know, definitions in under these other cybersecurity terminology that you might uh not know totally. Um so, but

Carolyn Woodard

I wanted to talk about a few at the top because, like especially this top one, the MFA and 2SV, that confuses me. So, Steve, could you talk a little bit about that?

Steve Longenecker

Sure. And I appreciate Carolyn that you've started adding this definition slide to these to these decks. Um I've been doing these webinars uh with you and even before you for a long time. And I think it's a really nice addition to the template, if you will, because yeah, I think we I forget as someone who's deep and deeply immersed in this stuff sometimes that definitions help.

Steve Longenecker

So MFA, which stands for multi-factor authentication, is the idea that um uh in addition to maybe your password, you are doing something else. That's where the multi comes from, doing something else to confirm your identity. And most typically, you might be using your phone, which you've registered ahead of time with the system to like approve your login on your phone.

Steve Longenecker

Some the other things that we see sometimes are these little uh FIDO keys, they're called, or YubiKey is the main brand. It's an actual physical key that you plug into the USB port on your computer or or or your phone, and it's like another, like you push that button. And since that that key is registered ahead of time, you can't get in with just your password. You have to have this second factor to get in.

Steve Longenecker

And it really has cut down on account breaches because passwords with computers are pretty easy to like, not pretty easy, but they are they are hackable because there's, you know, even if it's a 10-character password, you can just try all the different passwords with a computer program and get in. Or use people tend sometimes use easy to guess passwords, or they reuse passwords. So this multi-factor authentication helps a lot.

Steve Longenecker

2SV is just Google's language for that. So it stands for two-step verification. It is literally MFA with a different name. And I'm not quite sure why Google went its own way and didn't want to just call it MFA like everything else, every other uh platform provider has called it. But when you see 2SV, that just isn't to me an indication that you're dealing with Google and they're just using their term for MFA or multi-factor authentication.

Steve Longenecker

I'll go through the other ones real quick. Spoofing is a place where people can be vulnerable to uh security attacks. It's when an email uh appears to come from someone that it's not coming from, right? That could be internal. Uh I I get emails that appear to be from my my boss Johanny. It has her name, it has her email address, but it is not from her. And if I click on the links in that, I'm probably going to be leading to bad outcomes because someone is spoofing her account.

Steve Longenecker

There are things that we that you can do configuration-wise to reduce the likelihood of that. Um, one of the places that that can be done is using the next uh term here for for uh definitions, which is DNS.

Steve Longenecker

DNS is the it's a very old protocol. It's the internet's uh way of like resolving um friendly names to IP addresses, to names that machines understand. So when you go to www.communityit.com, you're going to a friendly name, but the the domain name server, uh the DNS servers out on the internet need to know that wwwcommunityit.com goes to this specific server with this specific address.

Steve Longenecker

That that system's been expanded to have all sorts of rules that are because because it's a place where an organization can sort of publish some stuff about their systems that is considered authoritative and and um safe.

Steve Longenecker

So if in my DNS records, I say the only people that are allowed to send email from um the domain name communityid.com are Microsoft 365 and uh MailChimp. Those are the only two systems that are allowed to send that, or from Google and MailChimp. And the and the email from Google needs to be secured with this encryption key. You know, those things can be done with DNS, and that is what's used now to reduce that spoofing. So that's it.

Carolyn Woodard

So it protects you. You can set it up. It protects you

Steve Longenecker

To protect you. Yeah, yeah.

Steve Longenecker

And email is one is still remains one of the vectors, which, of course, Google Workspace has email. So it remains one of the vectors by which a lot of we see a lot of attacks and breaches because it is such an old protocol. Email has been around for 50 years. And um and so as a result of that, it's vulnerable to to new fangled things. And so some of these DNS fixes are like responses to that. Okay, I got to speed things up.

Steve Longenecker

Admin console, that's just the term for the um web page that you log into. It's at admin.google.com. Everybody has the same address, but once you log in it, they take you to your admin console. And it's where you configure the settings. Uh, it's also where you uh set up new users or get rid of our offboard old users, set up Google Shared Drives. All the things that you do in Google Workspace are done in the admin console as far as administration goes in the admin console. Um,

Steve Longenecker

Google Shared Drives are uh repositories for documents. Um traditionally, not traditionally, in the at the beginning of time when Google first sort of ran rolled out their suite of services with email and so forth, they just used what what I now call MyDrives, where each person had their own drive. And if they wanted to share folders with other people or documents with other people to collaborate, they would do that from their My Drive.

Steve Longenecker

And some years later, at some point, Google rolled out these shared drives. And shared drives are much, much more organizational owned and less owned by individuals. And so there's more opportunities for good governance and structure and security.

Steve Longenecker

And so we talk about Google Shared Drives in the context of security because it's it's basically a richer, better way of uh collaborating and storing documents in Google Workspace.

Steve Longenecker

And then finally, user account offboarding. User is uh active in your organization, they're a staff person, they've been working for you for a few years, then they they leave uh the job, they get another job, or whatever, that they're no longer working for you. How do you unwind their presence in your Google workspace? That's called user account offboarding. And then that that is a process that is a weak spot in a lot of workspace administration, and as a result, it is a place where security is sometimes compromised.

Carolyn Woodard

The offboarding might apply to volunteers as well if you give them an email for your organization, and then you're not keeping track of who's not volunteering for you anymore, then they have you know this account that's still open. So it's important to keep track of.

Carolyn Woodard

So, what are the biggest risks specific to Google Workspace at nonprofits? Because some of those, you know, like not offboarding a staff person who may be disgruntled, like that could happen in any platform, but specific to Google Workspace, um, what are we looking at?

Steve Longenecker

Yeah, so to the point of the offboarding, I think it's more just that's the last one on the on the list here, but I'll I will, since you just brought it up, I'll bring it up.

Steve Longenecker

I think people know that if they're if they're firing a disgruntled employee, that they're going to do whether they have a formal procedure that they follow rigorously or not, they're going to reset the password, maybe suspend the user.

Steve Longenecker

Google is complicated by the fact that if you suspend the user, their email stops working. So it's not good in some ways, Google's processes don't make offboarding as easy as some other platforms might, because you want to suspend the user because that makes sense, right? But then all of a sudden, you might want them to still be able to receive email. You just want that email to like be read by somebody else in your organization, not obviously by the person who's no longer there. But the email address might still be valuable. Like if it's, you know, someone who's still that email address is still getting, let's say they're a program manager. They might still be getting emails from your external stakeholders. You just need their manager to read the emails. And that that can all be done, but that's what the offboarding procedure is about. No,

Steve Longenecker

I think the risk is more not I'm firing a disgruntled employee. The problem is we don't have a great policy for offboarding users. And so we have all these user accounts, and we don't know what the passwords are anymore. And so it's just an opportunity for someone to like try to wheedle their way in through some sort of dictionary attack or something. Um,

Steve Longenecker

It might not be the highest risk thing if you have good MFA, 2 SV in Google's case, enforcement and so on, but it's still like would be it is you want to part of security is reducing your threat landscape as much as possible.

Steve Longenecker

So anytime you have unused accounts just lying around, that's an opportunity. It may not be a likely opportunity, but you want to try to reduce that.

Steve Longenecker

The first one on the list is not specific to Google, but it is definitely worth putting on any list when you're talking about the biggest risks, um, which is just phishing and credential theft. So, yeah, maybe the title. Of the slide could have just been biggest risks to Google Workspace at nonprofits. It is a big risk, but it's not specific to Google Workspace.

Steve Longenecker

Then, also not specific to Google Workspace, but true for Google Workspace users, you definitely want to have that 2SV system set up, configured, and you want to have it enforced.

Steve Longenecker

One of the areas that that can be tricky is I'm bouncing around and I apologize for that. But the second to last one on this list, shared and generic accounts, that's where 2SV sometimes runs aground because it's very clear if I'm logging in as me that I'm the only one who should be able to, on my phone, say yes, that's me, let me in. But if I'm also sharing an account called info at or um donations at or whatever, then um maybe there's four of us sharing that password. And how do we do the 2SV for that? Because all four of us need to have it set up on our phones. It's not that it's impossible to do, but it's very unwieldy.

Steve Longenecker

So we help our clients work around those things by using um like Google groups for like those kinds of email addresses. So you don't have a user account called donations at nonprofit.org, but instead you might have a Google group called donations at Google at nonprofit.org and use configure it, and then the members of that group can read those emails and respond to them. Um, but

Steve Longenecker

Shared and generic accounts can be problems because when there's a one-to-one correspondence, this human being has this user account, it's very easy to sort of keep the security and they quickly notice if somebody, if they, if their account's doing weird things, they're going to raise their hand and say, hey, I don't know why, but like, you know, all my friends say that I'm getting that I'm emailing them. I'm not emailing them, what's going on? And then so we investigate and we solve that problem.

Steve Longenecker

But if it's a generic account that people only log into occasionally and someone gets into that somehow, then maybe no one even notices for a week or two, you know, because it's not managed very well. And then the, yeah, the 2SV and so on.

Steve Longenecker

Wire fraud and business email compromise is sort of uh part of that phishing credential theft. It's actually kind of of the same idea. But we do see that is one of the things that we still see is is that at and I think it has to do with in many ways, it's not specific to Google Workspace, but it might be specific to nonprofits. Nonprofits frequently have um I don't want to say this in a in a way that's insulting to anybody, but like maybe looser like processes for handling money sometimes. It might be more informal. So, like for an executive director to say to someone, hey, I need to take care of this situation because this donor is asking for it, that might be more likely to happen at a small nonprofit than it might be to happen at a bank, where there's very rigorous like processes that everybody knows to go through.

Steve Longenecker

And so we have seen wire fraud, um, and that's a generic term for like banking, you know, like talking, you know, or or buying what are the gift cards, you know, those kinds of things happen and we and we see that a fair amount, um, less than we used to because people are getting more sophisticated about it, but it still happens.

Steve Longenecker

And then this Google Drive files. So this goes back to the shared drives. It's good to use shared drives, but it is also important when you use shared drives that you structure the and the configuration uh appropriately. Do you want to allow external sharing from that particular Google Drive? Um, who are the members of it? Um, all of those kinds of things. Oh, and then the last one, sorry, I'm man, and I'm I'm running out of your, I'm I'm getting off your schedule, Carolyn. But

Steve Longenecker

The unmanaged personal accounts, that's not super common unless you have a relatively new account where maybe you weren't using Google Workspace before and now you are. Um, but people can sign up for um like Google Drive as a per as a as a regular consumer, as a person, not as a member of your enterprise, of your organization, and use their, you know, your organization's domain name, like their email address. And if you weren't in Google at the time. So so it is possible that there are personal, they're potentially Gmail accounts or Google accounts that are associated with your domain name, but they're not actually in your Google workspace. And there's a place in the in the admin portal where you can you can see who that list is. Oftentimes it's long ago, long-departed employees, and it's probably not a risk.

Carolyn Woodard

Um from early on, maybe when you were setting it up, they had their own email like on your board when you were setting up.

Steve Longenecker

That's right. Um,

Carolyn Woodard

I feel like I want to mention here that um if you need help doing some of the things in the admin portal, Google does have a knowledge base. You can look up questions of like, how do I find this? Where do I do that?

Steve Longenecker

Yeah, you know, and I always give Microsoft credit for like owning Windows and like Microsoft 365 and Microsoft Office, the desktop suite, you know, Word Excel, and how useful that is uh at for that world.

Steve Longenecker

One of the nice things about Google is they own Google. So Googling a question, actually, I don't know. I find that it works really well, and I like uh Google's knowledge base articles. We call them KBs. We

Steve Longenecker

I like their knowledge base articles more than I like Microsoft's for a um non X non-uh professional IT person. So if you're managing your IT um for your nonprofit and you and that's not your main job or it's not what you were trained in, but you're doing the best you can, I think you're gonna get good mileage out of Google's KBs. Um, and

Steve Longenecker

And you can be, in that case, I think, thankful that you're not doing the same thing in Microsoft. I think Microsoft is okay, but they tend to be more technical, harder to read. Uh you need to bring more background to it than you do to Google. Google is is a little bit more um uh uh try to keep things tries to keep things simple.

Carolyn Woodard

It's very consumer oriented. Yeah. We have one quick question on can you transfer or forward a suspended account in Google Workspace to

Steve Longenecker

You can. So that's what I was talking about, how you can see those accounts. But the trick, not true, you can. Um you can, yes. For for the ones that are long, long, long departed. I don't know whether you need you might need to like um it might be tricky because that the email may or may not work, but yes, you can do that. Yes, yes, that's a short answer.

Carolyn Woodard

Okay.

Carolyn Woodard

Um, all right, we're gonna, yes, we're gonna move along a little bit. Um, so

Carolyn Woodard

What can you do right now to protect your organization? First and next steps. I think we've talked a little bit about some of these. If you want to kind of run down.

Steve Longenecker

Yeah. So yes, let's just start with the easy one. Make sure that 2SV is turned on. Uh, and that's by default turned on, but it's not by default enforced, I don't think, for at least for older, older um workspace tenants that have been established for a while. So you need to turn it on. It's a little uh

Steve Longenecker

Google is a little is different from Microsoft in this regard. With Microsoft, you enable it or it's enabled, and you tell everybody to go ahead and get it set up and you warn them that you're going to be enforcing it on Friday, so everybody needs to get it done by Friday, yada, yada, yada. And then on Friday you enforce it. And the next time they try to log on, they can't get on until they set up MFA. So they're fine, they're forced to. And that is still a change management concern because if they're like logging on right before a meeting, that's a really important meeting, and now they are like losing five minutes because they're setting up MFA. So, you know, it's still a concern. But

Steve Longenecker

Google's much more challenging in terms of change management in that with Google, if you have not set it up and it gets enforced, you just can't log in. At that point, you need to open a ticket with the help desk or the the administrator, whoever that is. And they need to like work with you to to to, you know, because you can't, you need to do it ahead of time. But it should still be done. So it is important. It is possible to make exceptions. So if it just absolutely has to have an exception for a user account that can be done.

Steve Longenecker

But the the recommendation is that you enforce MFA or 2SV for everyone.

Steve Longenecker

Auditing account your accounts refers to sort of this offboarding and um and also like who has administrative privileges. We have seen um clients where it seemed like it was the easiest thing in the world was just to make almost everybody a super admin, or you know, or or you know, all the executive super admins. And that's that's a risk because if an if an account is breached, that person, you know, has too much power in that situation. So look at that, look at those, what the accounts are. Are there are there accounts that you can deprecate, um, so forth. Uh the

Steve Longenecker

Google Drive sharing settings is um, we talked about already, I won't, I won't go into it again, but there are settings for Google Drives, things like how who can share, what can, you know, who can who things can be shared to, um, whether other who the who the what there's yeah, anyway, you can you can you want to look at those things and then and use Google share drives. That is a I think a security concern. If you are just using my drives and sharing folders from my drives, that's really something that you want to, it's hard to correct. And we do have a blog post about how it's challenging to correct once it's once it's um out there already, but it's worth putting on your map on your map that we do want to get this corrected at some point and figure out um how to do that. So use Google Shared Drives. Um

Steve Longenecker

Login alerts are a nice touch that's available at the free tier. So if um uh if you do have super admins, you could have it set so that every time the super a super admin logs in, the other the other someone, you know, there's alerts being sent out to the other super admins or to the other um uh contacts for the account. Um that's helpful.

Steve Longenecker

Training staff is re that that is really helpful. Explaining how um phishing works and um helping people understand that email is a threat, that that uh chats and texts are a threat, you know, that this is not just email anymore. Those are all things that we can do. Um

Steve Longenecker

We talked about offboarding and we talked about the the DNS policy to reduce uh email spoofing, and I won't go into it now, but it's things like DMARC, DKIM, these are things that you can do just to so that you can't stop uh spoofing external if an external like an your staff are getting emails from other organizations, they might be spoofed. That you can't control. You can only control your own, but it's really good for your your own staff fooled by emails that appear to be from from within your organization. That's one thing. Also, not to have the reputational damage of not it's not a breach. No one's actually sending email from your from your Google workspace, but that appears to be from your Google workspace, and because you haven't done enough to turn up the dial on what the the spoofing protection is.

Carolyn Woodard

Yeah, and I know I'm sorry, I was just looking for it quickly. I know we have a blog post on the DMARC and DKIM, but I'll have to find it and share it maybe in the transcript also. Um

Carolyn Woodard

We have one more quick question. Uh, is it possible to disable downloading or printing documents in Google Workspace?

Steve Longenecker

Uh yes, I believe that it is. Um I don't know if it's possible at the free tier. I'm sorry they don't have that at my fingertips.

Carolyn Woodard

We can provide, we'll we'll answer it over on um Reddit and we'll provide it in the transcript. We'll make sure we have that right answer.