(Cross-posted from The Keyword)
Posted by Nicolas Kardas, Product Manager Gmail Security, and Sam Lugani, Security Product Marketing G SuiteWe work hard to help protect your company against phishing attacks—from using machine learning, to tailoring our detection algorithms, to building features to spot previously unseen attacks. While we block as many external attacks as we can, we continue to build and offer features designed to empower IT administrators to develop strong internal defenses against phishing.
Here are seven things we recommend admins do in G Suite to better protect employee data.
1. Enforce 2-step verificationTwo-step verification (2SV) is one of the best ways to prevent someone from accessing your account, even if they steal your password. In G Suite, admins have the ability to
enforce 2-step verification. 2SV can reduce the risk of successful phishing attacks by
asking employees for additional proof of identity when they sign in. This can be in the form of
phone prompts, voice calls,
mobile app notifications and more.
G Suite also supports user-managed security keys—easy to use hardware authenticators. Admins can choose to
enforce the use of security keys to help reduce the risk of stolen credentials being used to compromise an account. The key sends an encrypted signature and works only with authorized sites. Security keys can be deployed, monitored and managed directly from within the Admin console.
2. Deploy Password Alert extension for ChromeThe
Password Alert chrome extension checks each page that users visit to see if that page is impersonating Google’s sign-in page and notifies admins if users enter their G Suite credentials anywhere other than the Google sign-in page.
Admins can
enforce deployment of the Password Alert Chrome extension from the Google Admin console (Device management > App Management > Password Alert)—just sign in and get started. You should check “Force installation" under both “User Settings” and “Public session settings.”
Admins can also
enable password alert auditing, send email alerts and enforce a password change policy when G Suite credentials have been used on a non-trusted website such as a phishing site.
3. Allow only trusted apps to access your dataTake advantage of
OAuth apps whitelisting to specify which apps can access your users’ G Suite data. With this setting, users can grant access to their G Suite apps’ data only to whitelisted apps. This prevents malicious apps from tricking users into accidentally granting unauthorized access. Apps can be whitelisted by admins in the
Admin console under G Suite API Permissions.
4. Publish a DMARC policy for your organizationTo help your business avoid damage to its reputation from
phishing attacks and impersonators, G Suite follows the
DMARC standard. DMARC empowers domain owners to decide how Gmail and other participating email providers handle unauthenticated emails coming from your domain. By defining a policy and turning on
DKIM email signing, you can ensure that emails that claim to be from your organization, are actually from you.
5. Disable third-party email client access for those who don’t need itThe Gmail clients (
Android,
iOS,
Web) leverage Google
Safe Browsing to incorporate anti-phishing security measures such as disabling suspicious links and attachments and
displaying warnings to users to deter them from clicking on suspicious links.
By choosing to
disable POP and IMAP,
Google Sync and
G Suite Sync for Microsoft Outlook, admins can ensure that a significant portion of G Suite users will only use Gmail clients and benefit from the built-in phishing protections that they provide. Additional measures include enabling OAuth apps whitelisting to block third-party clients as suggested earlier in the blog.
Note: all third-party email clients, including native mobile mail clients, will stop working if the measures outlined above are implemented.
6. Encourage your team to pay attention to external reply warningsBy default, Gmail clients (
Android,
Web) warn G Suite users if they’re responding to emails sent from outside their domain by someone they don’t regularly interact with, or from someone not in their contacts. This helps businesses protect against forged emails, from malicious actors or just plain old user-error like sending an email to the wrong contact. Educate your employees to look for these warnings and be careful before responding to unrecognized senders. Unintended external reply warnings are controlled from the
Admin console control in the “Advanced Gmail” setting.
7. Enforce the use of Android work profilesWork profiles allow you to separate your organization's apps from personal apps, keeping personal and corporate data separate. By using integrated device management within G Suite to enforce the use of work profiles, you can whitelist applications that access corporate data and block installation of apps from unknown sources. You now have complete control over which apps have access to your corporate data.
These steps can help you improve your organization’s security posture and become more resistant to phishing attacks. Learn more at
gsuite.google.com/security or sign up for our
security webinar on September 20, 2017 which features new security research from Forrester and a demonstration on how the cloud can help effectively combat cyber threats.
Launch release calendarLaunch detail categoriesGet these product update alerts by emailSubscribe to the RSS feed of these updates 
