We work hard to help protect your company against phishing attacks—from using machine learning, to tailoring our detection algorithms, to building features to spot previously unseen attacks. While we block as many external attacks as we can, we continue to build and offer features designed to empower IT administrators to develop strong internal defenses against phishing.
Here are seven things we recommend admins do in G Suite to better protect employee data.
1. Enforce 2-step verification
Two-step verification (2SV) is one of the best ways to prevent someone from accessing your account, even if they steal your password. In G Suite, admins have the ability to enforce 2-step verification. 2SV can reduce the risk of successful phishing attacks by asking employees for additional proof of identity when they sign in. This can be in the form of phone prompts, voice calls, mobile appnotificationsand more.
G Suite also supports user-managed security keys—easy to use hardware authenticators. Admins can choose toenforce the use of security keysto help reduce the risk of stolen credentials being used to compromise an account. The key sends an encrypted signature and works only with authorized sites. Security keys can be deployed, monitored and managed directly from within the Admin console.
2. Deploy Password Alert extension for Chrome
The Password Alert chrome extension checks each page that users visit to see if that page is impersonating Google’s sign-in page and notifies admins if users enter their G Suite credentials anywhere other than the Google sign-in page.
Admins can enforce deployment of the Password Alert Chrome extension from the Google Admin Console (Device management > App Management > Password Alert)—just sign in and get started. You should check “Force installation" under both “User Settings” and “Public session settings.”
Admins can alsoenablepassword alert auditing, send email alerts and enforce a password change policy when G Suite credentials have been used on a non-trusted website such as a phishing site.
3. Allow only trusted apps to access your data
Take advantage ofOAuth apps whitelistingto specify which apps can access your users’ G Suite data. With this setting, users can grant access to their G Suite apps’ data only to whitelisted apps. This prevents malicious apps from tricking users into accidentally granting unauthorized access. Apps can be whitelisted by admins in theAdmin console under G Suite API Permissions.
4. Publish a DMARC policy for your organization
To help your business avoid damage to its reputation fromphishingattacks and impersonators, G Suite follows theDMARCstandard. DMARC empowers domain owners to decide how Gmail and other participating email providers handle unauthenticated emails coming from your domain. By defining a policy and turning onDKIM email signing, you can ensure that emails that claim to be from your organization, are actually from you.
5. Disable third-party email client access for those who don't need it
The Gmail clients (Android,iOS,Web) leverage GoogleSafe Browsingto incorporate anti-phishing security measures such as disabling suspicious links and attachments anddisplaying warningsto users to deter them from clicking on suspicious links.
By choosing todisable POP and IMAP,Google Sync andG Suite Syncfor Microsoft Outlook, admins can ensure that a significant portion of G Suite users will only use Gmail clients and benefit from the built-in phishing protections that they provide. Additional measures include enabling OAuth apps whitelisting to block third-party clients as suggested earlier in the blog.
Note: all third-party email clients, including native mobile mail clients, will stop working if the measures outlined above are implemented.
6. Encourage your team to pay attention to external reply warnings
By default, Gmail clients (Android,Web) warn G Suite users if they’re responding to emails sent from outside their domain by someone they don’t regularly interact with, or from someone not in their contacts. This helps businesses protect against forged emails, from malicious actors or just plain old user-error like sending an email to the wrong contact. Educate your employees to look for these warnings and be careful before responding to unrecognized senders. Unintended external reply warnings are controlled from theAdmin console control in the “Advanced Gmail” setting.
7. Enforce the use of Android work profiles
Work profilesallow you to separate your organization's apps from personal apps, keeping personal and corporate data separate. By using integrated device management within G Suite to enforce the use of work profiles, you can whitelist applications that access corporate data and block installation of apps from unknown sources. You now have complete control over which apps have access to your corporate data.
These steps can help you improve your organization’s security posture and become more resistant to phishing attacks. Learn more atgsuite.google.com/securityorsign up for our security webinaron September 20, 2017 which features new security research from Forrester and a demonstration on how the cloud can help effectively combat cyber threats.
- Workspace Admins
- Identity and Security
