Google Workspace security settings: Defaults vs Configured for UK SMEs

Most small and medium-sized businesses in the UK treat Google Workspace like an email box with extras. An account is created, users are added, and everyone carries on. That’s the default approach: quick, cheap, and risky.

This post contrasts two distinct patterns of administering Google Workspace security settings. One is common and fragile. The other is deliberate and business-focused. Read each section and use the examples at the end of each to make immediate changes that cut risk without needing a week of downtime or a bank of consultants.

Default-first: Turn it on and hope the defaults keep you safe

The default-first mindset is: set up accounts, enable a handful of standard protections, and assume Google’s defaults will handle threats. It’s attractive because it feels like progress. People are added, email flows, calendars sync. But defaults are designed to cover a wide range of customers, not your particular risk profile.

What this actually means on the ground for a UK SME is predictable and fixable.

• Single sign-on and admin access are often consolidated in a couple of accounts. If one of those credentials is compromised, an attacker can move laterally through everything.
• MFA may be optional or unevenly applied, left to user preference rather than enforced for high-risk roles.
• Third-party apps with OAuth access are permitted en masse. Staff install tools that request broad scopes and stay authorised long after they’re useful.
• Data-loss protections and retention policies are not configured because the team believes backups or Google’s storage will be enough.

Business impact is practical, not academic: a single compromised mailbox can lead to invoice fraud, leaked personal data, or a ransomware foothold. Recovery takes time, external support and, often, notification obligations under the UK’s data rules.

Concrete examples of the default-first trap

• Example A — No enforced MFA: an accounts-payable user’s password is phished and used to approve a fraudulent supplier change. Banking detail changes and a payment goes out before anyone notices.
• Example B — Wide app access: a staff member installs a timesheet app that requests access to read and manage emails; the app later leaks an API token and messages are scraped.
• Example C — All admins equal: every manager is given a high-level admin role for convenience, so a single compromised manager account exposes settings and sensitive archives.

These are not exotic scenarios. They are the direct results of relying on out-of-the-box settings and ad-hoc decisions. The fix isn’t a full rewrite — it’s a change in posture.

Risk-first: Configure settings to protect the business and its people

A risk-first approach starts by asking what an attack would cost the business and who would be worst hit. It then applies Google Workspace security settings that reduce that risk fastest. This isn’t about ticking every security box; it’s about prioritising controls that protect money, customer data and the brand.

Key elements of this approach are: enforceable multi-factor authentication, role-based admin controls, limited third-party app authorisations, and basic monitoring and alerting. Put simply: stop the obvious ways in and you lower the chance of a serious incident significantly.

There are two additional principles that matter for UK firms. First, make changes with a plan for staff support — sudden lockouts kill productivity. Second, look at compliance and notification obligations early; the ICO expects reasonable steps to secure personal data.

Where to start is often obvious: lock down high-impact accounts first, then widen protections. That way you create immediate protection for payroll, finance, HR and leadership before tackling lower-risk groups.

Concrete examples of the risk-first approach

• Example A — Enforce MFA selectively: require security keys or app-based MFA for admins and finance staff immediately, then roll out mandatory MFA for the rest of the organisation within one month.
• Example B — Tighten admin roles: create narrowly scoped admin roles (user management, device management, audit-only) rather than handing out full super-admin access.
• Example C — Manage third-party apps: implement an approved apps list and revoke tokens for unused apps during a quarterly review.

These measures are practical and quick to implement, but they benefit from a short, documented rollout plan and staff guidance. A phased approach avoids mass confusion and keeps business functions running.

How to pick which settings to change first

Prioritise by impact and ease of deployment. Start with steps that block the simplest and most common attack paths, and that don’t require long approvals or expensive tooling.

1. Require multi-factor authentication for high-risk users (admins, finance, HR).
2. Split admin roles and review who has super-admin rights.
3. Implement an approved third-party app policy and scan for broad OAuth grants.
4. Turn on basic monitoring and alerting for suspicious logins and data sharing.

For a reference on broader cloud security practices you can compare against, see NCSC’s guidance on securing cloud services.

If you prefer someone else to handle the nitty-gritty, consider a short engagement for configuration and handover — for example a partner who provides managed Google Workspace support and will leave you with clear controls and staff instructions.

Practical checklist you can action in a single afternoon

Pick three things from the list below and do them this afternoon. Each one materially reduces business risk.

• Enforce MFA for five priority accounts (CEO, CFO, payroll, HR lead, IT admin).
• Audit admin roles and remove super-admin rights where unnecessary.
• Review OAuth app permissions and revoke access for apps used by fewer than two people unless the business case is clear.
• Configure alerts for unusual sign-ins (new locations, impossible travel) and designate who will act on them.

Make notes as you go so you can repeat or hand the procedure to a colleague. Small, documented steps beat a big, undocumented scramble after an incident.

Next concrete step

Book one hour this week to apply the three priority controls above. Protect the five most critical accounts, tidy up admin roles, and revoke any obviously unnecessary app access. After that, schedule a 90-minute review with whoever handles IT or finance to extend protections across the rest of the organisation.

Taking these actions will cut the chance of an avoidable breach, reduce recovery time if something does happen, and give customers and staff more confidence in how you run IT. If you’d like help making the changes without disrupting the business, arrange a short configuration audit to save time, money and stress.

Related reading

• our google workspace support for business guide
• Google Workspace support London — practical help for growing UK firms
• Google Workspace licence administration: Centralised vs Ad-hoc for UK SMEs