How to Secure your Google Documents

Data sharing and document reviews between employees are essential to any workplace, and Google Workspace makes this easy and efficient. However, it also can come with risks. You want to avoid opportunities for external parties to access, or even steal, your documents and sensitive company data.

Do you know that employees often share confidential and sensitive information without you even knowing? Over 45% of employees admit to taking documents from former employers. Have you considered if your employees really lose access to documents once they’ve left your company?

The majority of employers think that once they’ve offboarded an employee and removed them from the system, that person no longer has access to company documents. But, unfortunately, this isn’t always the case.

35% of employees can still access Google documents after leaving a company

In general, when companies offboard employees, they’ll turn off their Google accounts and transfer ownership of documents to a different account. Usually, accounts in other cloud tools are also switched off. But 35% of employees have said that they could still access documents after leaving a company, which is a considerable risk for document exfiltration. In addition, it’s also a breach of various compliance frameworks that require full offboarding of employees, such as SOC 2 and ISO 27001.

If you can’t manage how employees share company documents, you could end up with drastic consequences for your company:

  • Your former employees can use your company documents and information at their new job to benefit themselves and their new company—or even work for a competitor.
  • Your competitors can see and use your sensitive internal information, including financial records, spreadsheets, salaries, customer lists, etc. You don’t want your business strategies or sales pitches to potential investors falling into the wrong hands.
  • Your former employees can leak sensitive information to the public, resulting in massive damage to your company’s brand image and, quite possibly, hefty penalties.

The importance of document security

Whether you’re a small business owner or IT admin for a large company, the implementation of document security starts at an administrative level. You must establish organizational policies and set up hardware to ensure all staff follows specific rules and steps regarding document security.

Individually, team members will need to follow the policies, ensuring they are doing everything they can to guard sensitive information and documents.

If you’re a Google Workspace admin, let’s take a look at some best practices to secure all your company documents.

1. Use strong passwords

A strong password is the most crucial first step to protect admin and user accounts. You want to set minimum and maximum strength requirements. Help your team choose strong passwords that aren’t easily guessed and share tips on how to create effective passwords.

2. Set up 2-step verification

2-Step verification is the first action you should take to make user accounts more secure. Some methods include Google prompts, Google Authenticator, and backup codes.

Users sign in to their account in two steps with something they know (their password) and something they have (their phone or a security key). So even if a cybercriminal steals an employee’s username and password, they would still need to have access to the employee’s email account or phone to be able to complete the login process and steal the information that’s part of the account.

Unfortunately, sometimes employees follow bad security practices like leaving post-it notes with passwords on their desks or using the same passwords frequently without much modification. 2-step verification isn’t foolproof, but it provides a more robust process to secure your documents.

3. Use security keys

For employees who work with sensitive data, a physical key improves security and can be used in place of a password. These small hardware devices are used for two-factor authentication and help combat phishing threats.

According to the Google Help Center, when a user signs in to their Google account, their device detects that the account has a security key. For the second verification step, the user signs in with their security key. The user connects their security key to their device via a USB or Bluetooth, depending on the key type.

4. Set up Password Alerts

Help prevent password reuse with Password Alert to ensure users don’t use their business passwords on other sites. Since many companies use Chrome as their browser of choice, enabling the password alert extension lets employees know when they’re entering their sign-on information on an untrustworthy website.
The extension can also be enhanced by enabling email alerts and forcing password changes as needed; breaches can be prevented on the users’ end.

5. Encrypt your files

When you share a Google document, spreadsheet, or slide presentation, it’ll be secured until you open it up for three possible sharing options. You can set it to be a public document, give access to anyone with the link, or share it with a designated list of team members.

Google Docs, Sheets, and Slides are only as confidential as you want them to be on a shared drive.

Encrypting the files on the computer provides another layer of security that’s easy to use. When placing encryption on the hard drive, the encryption software scrambles the data into unreadable content that can only be descrambled with the correct password. After entering the password, the file’s content returns to normal.

Whether you decide to use encryption or not, you should set your files to fit your security needs. Change them to Public, Private with Link, or share them with a designated list of team members via email address.

6. Limit who can see newly created files and documents

As an administrator, you can manage how employees in your company can share Google Drive files and folders. These items include Google Docs, Sheets, Slides, and anything else stored in Google Drive. Remember, when employees share folders, they usually share folder contents as well.

Therefore, you can designate who can see the files your users create. You can do this by setting the sharing permissions, whether it’s:

  • Limiting and restricting sharing outside your business
  • Allowing users to share with anyone
  • Letting users share files publicly

7. Notify employees when they share a document with external parties

If you allow employees to share files externally, make sure they receive a notification when they attempt to do this. The notification nudges them to confirm that they want to share the file with someone outside of your organization.

8. Review activity reports

Information breaches are not seen when they first transpire. It’s not necessarily the data breach that is damaging but the overall length of time an unapproved party has access to your valuable company documents. By catching any unusual activity early on, you can alleviate any potential damages. Activity reports can track logins, account status, usage of 2-step verification, and other data sets that can point to unusual or undesired activity.

9. Set up admin email alerts

You can monitor activity and track potential security risks by setting up admin email alerts for certain situations, such as:

  • User activity alerts, e.g., leaked password, user suspended due to suspicious activity, and suspicious login
  • Mobile device activity alerts e.g., device compromised and suspicious device activity
  • Alerts for setting changes by other administrators
  • General security-related alerts

10. Deactivate compromised accounts

When a user account has been jeopardized, it needs to be immediately deactivated, analyzed for any potential breaches, repaired, and then reassigned to the employee. During the reactivation process, the password should be reset, sign-in cookies deleted, and app passwords reset on devices such as cell phones and tablets. When the account is unsuspended and a user signs in with new identifying information, tokens and cookies will update accordingly.

11. Stop unauthorized access after an employee leaves

Keep your company’s data safe when an employee leaves by completing the following best practices:

  • Remove data from the user’s devices—by using the Admin console, you can remotely remove the entire device or only erase your company’s data.
  • Remove the user’s recovery email address and phone number so they can’t use the password recovery feature to access their old account.
  • Change the user’s password to decrease the risk of unauthorized access to their old account.
  • Reset the user’s sign-in cookies, which minimizes the risk of unauthorized access.
  • Cancel any security keys or application-specific passwords that have been granted access to the user’s account.
  • Delete the user’s account and move the user’s data that you want to save to another account. Afterward, delete their original account completely. This is the most reliable way to ensure former employees can’t access your company’s data.

12. Train your Google Workspace users

With a vast increase in phishing attacks along with the prevalence of ransomware, your employees are an essential line of defense when protecting sensitive company information. Team members should take steps that allow them to safeguard documents at all times.

It’s important to train your users on Google Workspace and also have policies/guidelines for staff in place, such as guidelines for passwords, cloud storage, and document sharing policies.

More information about Google Workspace security options and other settings can be found here.

13. Use a real-time access control system that proactively secures company documents

When companies want to take their security to the next level, they can add an access control system like Nira to protect their company data and assets in Google Workspace. There are multiple benefits to implementing access control and security measures in your company.

With an access control system, you can:

  • Gain total visibility—you can see who is accessing your data in real-time.
  • Monitor and protect your most important documents, assets, and resources.
  • Modify user permissions and block unauthorized permissions easily.
  • Have complete peace of mind knowing that your data is safe and can only be accessed by the assigned people.
  • Improve regulatory compliance, as non-conformance can lead to fines, revoked licenses, and even criminal liability.

How to secure your documents today

One significant data breach can create an irreversible blow to a company’s reputation. By keeping the above best practices and considerations in mind, you can help prevent data breaches and, should they occur, reduce the extent of the damage they cause.

To see what Nira can do to protect your company’s documents from unauthorized access in Google Workspace, request a demo today.

Nira is a real-time access control system that provides visibility and management over who has access to company documents in Google Workspace, with more integrations coming soon.

Incredible companies use Nira

Every company that uses Google Workspace should be using Nira.
Bryan Wise
Bryan Wise,
Former VP of IT at GitLab

Incredible companies use Nira