Security checklist for small businesses (1-100 users)

You worked hard to establish your business. Don’t let security risks impact your success. Take these security measures to help protect your business information.

If you have a very small business (1-20 users) or small business (21-100 users), you probably don’t have a dedicated IT administrator, so we’ll keep the list short!

Protect your accounts

Use unique passwords

A good password is the first line of defense to protect user and admin accounts. Unique passwords aren’t easily guessed. For example, think of a long sentence and use the first letter of each word as your password.

Also discourage password reuse across different accounts, such as email and online banking.

Create a strong password & a more secure account

Require admins and key users to give extra proof of who they are

If someone manages to steal your password, 2-step verification (2SV) can prevent them from accessing your account.

2SV requires users to verify their identity through something they know (such as a password) plus something they have (such as a physical key or access code) to gain access.

We recommend that everyone in your business use 2SV, but it’s especially important for admins and users who work with sensitive data such as financial records and employee information. You should enforce 2SV for admins and key users.

Protect your business with 2-Step Verification | Deploy 2-Step verification

Admins should add recovery information to their account

If your admin forgets their password, they can click the Need help? link on the sign-in page and Google will send a new password via phone, text, or email. To do that, Google needs a recovery phone number and email address for the account.

Add recovery options to your administrator account

Get backup codes ahead of time

If your business enforces 2SV and a user or admin loses access to their 2SV method, they won’t be able to sign in to their account. Examples are a user who receives 2SV verification codes on their phone and loses their phone, or a user who loses their security key.

In a case like this, they can use a backup code for 2SV. Admins and users with 2SV turned on should generate and print backup codes and keep them in a secure location.

Generate and print backup codes

Create an additional super admin account

A business should have more than one super administrator account, each managed by a separate person. If your primary super admin account is lost or compromised, the backup super admin can perform critical tasks while the primary account is recovered.

You create another super admin by assigning the super admin role to another user.

Assign administrator roles to a user

Keep information on hand for super admin password reset

If a super admin can’t reset their password using email or phone recovery options, and another super admin isn’t available to reset the password, they can contact Google Support.

To verify identity, Google asks questions about the organization’s account. The admin also needs to verify DNS ownership of the domain. You should keep account information and DNS credentials in a secure place in case they’re needed.

Security best practices for administrator accounts

Super admins shouldn’t remain signed in to their account

Super admins can manage every aspect of your company’s account, and can access all business and employee data. Staying signed in to a super admin account when you aren’t performing specific administrative tasks can increase exposure to potential malicious activity.

Super admins should sign in as needed to do specific tasks and then sign out. For daily administrative tasks, use an account with limited admin roles.

Pre-built administrator roles | Security best practices for administrator accounts

Enable auto update for apps and Internet browsers

To get the latest security updates, make sure your users enable auto update for their apps and Internet browsers. If they use Chrome, you can configure auto-update for your entire organization.

Auto-update policies (Chrome)

If you use Gmail, Calendar, Drive, Docs

Turn on enhanced pre-delivery message scanning

Phishing is the malicious practice of sending email that attempts to trick users into revealing sensitive information, such as passwords, account numbers, or other personally identifiable information.

Google scans incoming messages to help protect against phishing. When Gmail identifies that an email may be a phishing attempt, it might display a warning or move the email to a spam folder. Enhanced pre-delivery message scanning enables Gmail to help catch email that previously might not be identified as phishing.

Help prevent phishing with pre-delivery message scanning

Turn on additional malicious file and link screening for Gmail

Google scans incoming messages to protect against malicious programs, such as computer viruses. Turn on additional safety checks for attachments, links, and external images to help catch email that previously might not be identified as malicious.

Advanced phishing and malware protection

Make sure email recipients don’t mark your email as spam

Email spam is unsolicited bulk email messages. It’s generally used by unscrupulous advertisers because there are no operating costs beyond that of managing their mailing lists.

Sender Policy Framework (SPF) is an email security method to authorize legitimate email sent by users at your company. An SPF record identifies which mail servers are allowed to send email on behalf of your domain.

If you don't set up SPF for your domain, some messages could bounce or could be marked as spam.

Authorize email senders with SPF

Restrict calendar sharing with people outside your company

User calendars can contain sensitive information. You should limit how your users share their calendars with external users. Restrict external calendar sharing to free/busy information only.

Set calendar visibility and sharing options

Limit who can see newly created files
You can specify who can see the files your users create. Make sure only the user who creates a file can open it until they explicitly share the file. Do this by turning Link Sharing off.

Set the default for link sharing

Warn users when they share a file with people outside your company

If you let users share files with external people, make sure they get a warning when they attempt to do this. The warning prompts them to confirm that they want to share the file with someone outside of your company.

Don't let users in your organization share with anyone

Does your business have special security requirements?

Your business might have fewer than 10 people but have the information security requirements of a much larger company.

For example, small investment and financial planning businesses, and any business that works with health information might have special regulatory, privacy, and security requirements. These companies might have dedicated IT admins who take care of these extra requirements.

If that sounds like your business, follow the security best practices in the Security checklist for medium and large businesses (100+ users).

Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu