Google Workspace Security: 12 Settings DACH SMEs Must Fix
Most DACH SMEs run Google Workspace on defaults. Here are 12 security settings to configure for DSGVO compliance, organized by priority.
Google Workspace Security: 12 Settings DACH SMEs Must Fix
Google Workspace ships with sensible defaults — for a US startup. For a 20-person Mittelstand company handling customer data under DSGVO, those defaults leave gaps. Passwords never expire. External file sharing is wide open. Two-factor authentication is optional. After onboarding dozens of Google Workspace tenants for DACH companies, the same 12 misconfigurations show up every time.
Why Defaults Are Not Enough
Google’s baseline security works for a five-person team where everyone trusts everyone. It breaks down at scale because:
- DSGVO requires data access controls — not just encryption, but audit trails showing who accessed what and when. Google Workspace logs exist but must be explicitly enabled.
- NIS2 introduces direct liability for management. A breach traced to a missing 2FA policy is a breach the CTO answers for personally.
- SMEs are the target — automated phishing and credential-stuffing campaigns hit small companies disproportionately because their security posture is weaker.
The good news: fixing all 12 settings below takes about 30 minutes in the Admin Console. No paid add-ons required.
Access Control: 2FA, Passwords, and User Management
Enable and Enforce 2-Step Verification (5 minutes)
This is the single highest-impact change. Go to Security > Authentication > 2-Step Verification and:
- Enable 2SV for all users
- Set enforcement to “On” (not just “recommended”)
- Set the enforcement date to 7 days from now — gives users time to set up their second factor
- Require security keys for admin accounts
Google prompts (phone notification) are the easiest second factor. Hardware keys (YubiKey, Titan) for admin accounts. SMS is better than nothing but vulnerable to SIM swapping — avoid it as the primary factor for anyone with admin access.
If a user loses their second factor, you can generate a one-time bypass code from the Admin Console under the user’s profile. Keep this process documented in your SOP documentation.
Restrict External File Sharing (3 minutes)
Under Apps > Google Workspace > Drive and Docs > Sharing settings:
- Set “Sharing options” to allow sharing only within your organization
- If you need external collaboration, allow sharing to specific domains — not “anyone with the link”
- Disable “Allow users to publish files to the web”
- Set the default link-sharing option to “Restricted” (not “Anyone”)
This prevents the most common data leak: an employee shares a spreadsheet with customer data via a public link that gets indexed or forwarded.
Configure Password Policies (2 minutes)
Under Security > Authentication > Password management:
- Minimum length: 12 characters
- Enforce at sign-in: password reuse prevention (last 4)
- Set expiration: never (NIST SP 800-63B recommends against forced rotation, but enforce complexity)
The 12-character minimum matters more than forced rotation. A 16-character passphrase that never changes is stronger than an 8-character password changed monthly.
Set Up Admin Audit Logs (2 minutes)
Under Account > Account settings > Data Access Transparency, ensure audit logging is active. Then check Security > Data Access Transparency for the admin audit log.
DSGVO Article 30 requires documentation of data processing activities. The admin audit log shows who changed what setting and when — your evidence trail. Export logs to Google BigQuery or a SIEM for long-term retention (Google retains admin logs for 6 months by default).
Data Protection: Region, Logging, and App Access
Configure Data Region (3 minutes)
Under Account > Settings for my organization > Data Regions, set your organization’s data region to Europe.
This doesn’t guarantee data never leaves the EU (Google may replicate for performance), but it ensures primary storage is within European data centers. For DSGVO documentation, this is a meaningful control to point to during an audit.
Disable Less Secure Apps (1 minute)
Under Security > Access and data control > Less secure apps, set to “Disable access to less secure apps for all users.”
Google deprecated “less secure apps” for most purposes, but the setting still exists and some legacy integrations rely on it. Any integration still using basic auth should migrate to OAuth 2.0. If you have a legitimate need, restrict less secure app access to a specific organizational unit — not the entire domain.
Set Up Alert Rules (3 minutes)
Under Security > Alert rules, enable at minimum:
- Suspicious sign-in activity — alerts on impossible travel, new device sign-ins
- User suspended (by Google) — catches compromised accounts
- Government-backed attack — Google’s advanced threat detection
- Data export — alerts when someone initiates a bulk data download
These alerts send to all super admins by email. For critical alerts, connect them to a Slack channel or PagerDuty via Google Workspace’s webhook integrations.
Review Third-Party App Access (2 minutes)
Under Security > Access and data control > App access control, audit which third-party apps have access to your organization’s Google data.
Common findings: a marketing tool with full Drive access that someone authorized 18 months ago and nobody uses anymore. Revoke access for unused apps. Set the default for new app authorizations to “Trusted” (block untrusted apps domain-wide, allowlist specific apps).
Monitoring and Hardening
Configure Gmail Security Settings (2 minutes)
Under Apps > Google Workspace > Gmail > Safety:
- Enable enhanced pre-delivery message scanning
- Turn on “Warn users about unauthenticated emails” (BIMI/DMARC alignment)
- Set attachment filtering to include executable types
- Enable “Protect against anomalous attachments”
For DSGVO compliance, also configure Gmail > Routing > Routing to set up a compliance footer with your company’s registered address and data processing information.
Set Up User Provisioning Rules (2 minutes)
Under Directory > Users, configure:
- Suspension policy: Automatically suspend accounts after 90 days of inactivity
- Offboarding: Create an organizational unit called “Offboarded” — move terminated users there first, then delete after 30 days
The offboarding process is where most SMEs leak data. A salesperson leaves, their account stays active for months, and nobody revokes their access to shared drives or CRM integrations. Automated suspension closes this window.
Enable Context-Aware Access (3 minutes)
Under Security > Access and data control > Context-Aware Access, create access levels:
- Full access: Corporate IP ranges only
- Limited access: Non-corporate IPs (blocks admin functions)
- Blocked: Countries where you have no business presence
Context-aware access requires Google Workspace Enterprise editions. If you’re on Business Standard or Plus, use IP allowlisting at the organizational unit level instead — less granular but achieves the same goal for most SMEs.
Document Your Configuration (Ongoing)
Every setting above should be documented in an internal runbook. Include:
- The setting name and path in the Admin Console
- The configured value
- The rationale (especially for DSGVO/NIS2 compliance)
- The person responsible for reviewing it quarterly
This runbook is your evidence during a DSGVO audit. If a supervisory authority asks how you control access to personal data, you hand them the runbook showing 2FA enforcement, external sharing restrictions, and audit log retention. No runbook, no evidence.
The Takeaway
Google Workspace’s default configuration is built for convenience, not compliance. For DACH SMEs under DSGVO and NIS2, the 12 settings above close the most common gaps in under 30 minutes. Document what you configure, review it quarterly, and treat the Admin Console as a compliance tool — not just an IT utility.
If configuring and maintaining these settings isn’t something your team has capacity for, managed Google Workspace handles setup, security baselines, and ongoing administration. Pricing starts at €129/month for businesses under 10 users.