A Google Workspace security audit checks how access and data are controlled: whether 2-Step Verification is enforced, how many super admins exist, how Drive files are shared, whether former employees still have access, whether email authentication is configured, whether real backup exists, and whether audit logs are kept. These seven areas catch most small business risk.

Most small businesses do not get breached through some sophisticated attack. They get caught by the boring gaps: a former employee who still has access, an owner without 2FA, a Drive folder shared with "anyone with the link." A security audit is just the disciplined check for those gaps before someone else finds them. Here are the seven areas worth checking, in plain language.

The seven-point starting checklist

1

Is 2-Step Verification enforced, not just allowed?

Allowed means optional, and optional means the people most likely to be phished often skip it. Confirm it is enforced across the organization, not left to each person. The full how-to is in enforcing 2FA across Google Workspace.

2

How many super-admin accounts exist?

Every super admin is a master key to your entire environment. Most small businesses need very few. Extra ones, especially old or shared accounts, are a large and unnecessary risk. Count them, and trim them to the minimum.

3

How is Drive sharing configured?

The dangerous default is files shared with "anyone with the link." Check organization-wide sharing settings, look for documents exposed beyond the company, and confirm sensitive files live in Shared Drives with controlled access rather than scattered across personal drives.

4

Do former employees still have access?

This is the most common real-world gap. When someone leaves, their access to email, Drive, and client files has to be revoked and their data transferred, not left active. If you are not certain, see how to revoke a departing employee's access.

5

Is email authentication (SPF, DKIM, DMARC) set up?

These three DNS records stop attackers from spoofing your domain to send convincing phishing as you. Missing or misconfigured records are common and quietly damaging. All three should be present and aligned.

6

Is there real backup, not just version history?

Google protects its infrastructure, but version history is not a backup. Most data loss is discovered after Google's short recovery windows have expired, and ransomware wipes version history along with the data. Confirm a true point-in-time backup exists.

7

Are admin audit logs being kept?

If something goes wrong, logs are how you find out what happened and what was touched. Confirm admin and login audit logs are retained, and that someone would actually notice an alert rather than learning about a problem weeks later.

How often should you do this?

At least once a year, and immediately after any trigger event: a security scare, an employee departure, a growth spurt, or losing the person who handled IT. Settings drift as a company grows, so a setup that was fine at 10 people is usually full of gaps by 40.

The difference between a checklist and an audit. This list catches the obvious gaps, and you should run it. A professional assessment adds depth and the fix: which gaps actually matter for your business, in what order, and the remediation to close them. A report nobody acts on changes nothing.

The full version

NeuGenity's 70-point Google Workspace Security Assessment starts at $499, reviews the full environment, prioritizes the gaps in plain language, and includes a remediation window to actually fix them. It is the direct answer to a security scare, a client security questionnaire, or simply not knowing whether your setup is safe.