Guard against targeted attacks

As a Google administrator, you can protect the accounts of those most at risk of experiencing targeted attacks, such as journalists, activists, business leaders, and political campaign teams.  

This article shows you how to use the settings in G Suite to protect your users against targeted attacks and provide an advanced level of protection.

Before you begin

Create a group of the users you want to guard against targeted attacks. Call it google-ap-users@your-domain.com and assign the users to that group. For more details, see Managing Groups for your Google service.

Set up advanced protection

Step 1: Enforce security keys

To enforce security keys for users in your new advanced protection group:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenBasic settings.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. Scroll to the Two-step verification section.
  4. Click Go to advanced settings to enforce 2-step verification.
    The Advanced security settings page opens. The root organization is selected by default and you should leave this selected.
  5. Next to Group Filters, click Select.
  6. In the Select a group to apply filter window, select google-ap-users@your-domain.com.
  7. Click Done.
  8. On the Advanced security settings page, select Turn on enforcement now and then OK.
    Note: To defer enforcement, select Turn on enforcement from date and select a date. Don’t defer enforcement if you haven’t distributed security keys to your users yet.
  9. In Allowed 2-step verification methods, select Only Security Key.
  10. Click Save.

The next time your users sign in, if the window is still open, they see a prompt for the security key. Otherwise, they can’t sign in. We recommend that you add security keys for each of the users in the group (google-ap-users@your-domain.com). For more details, see Making two-step verification (2SV) deployment easier.

Step 2: Protect your G Suite assets

Protect your G Suite assets by locking down a third-party application’s access to your Gmail and Google Drive data:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenAPI reference.

    To see Security on the Home page, you might have to click More controls at the bottom.


    In API access, you find a list of Google products, each with an enable or disable option.
  3. For Gmail, click Disable and leave the default option at All Access.
  4. For Drive, click Disable and leave the default option at All Access.
  5. Click Save.

Note: This setting applies to your entire domain. You can’t apply it to individual users in the google-ap-users@your-domain.com group. For more information about this blacklisting feature and how to whitelist your trusted apps, see Manage access to third-party apps with new G Suite security controls.

Step 3: Enable enhanced email scanning

Take this step to enhance scanning of incoming email for phishing attempts, viruses, and deep scanning of attachments for malicious content.

Note: You can’t limit this setting to a group. You need to apply this at the root (top-level) organization or at the appropriate child organization.

To enable enhanced scanning of your incoming email:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand then G Suite and then Gmail and then Advanced settings.
  3. Search the Advanced settings page for Enhanced pre-delivery message scanning and check the box for this setting.
  4. Search for Security sandbox and check the box for this setting.
    This feature can delay delivery of certain types of messages. But, it does a deep scan of attachments in a secure sandbox environment for maximum protection.
  5. Click Save.

For more details, see Set up Security sandbox and Use enhanced pre-delivery message scanning.

Step 4: Force all users to log out

Once you assign the settings you want, end the sessions of each of your advanced protection users. To do this, go to each user’s profile page in the Admin console.

This ensures that an attacker who might be in one of your user’s accounts is signed out. Even if an attacker has the user’s credentials, they can’t reestablish a session without a security key.

For more details, see Reset a user’s sign-in cookies.

 

Was this article helpful?
How can we improve it?