One thing that will remain true is that no matter how strong the technology policies you have in place, your system is only as secure as its weakest link. And with more information being linked to our email addresses it’s no surprise that this becomes a prime target for potential thieves as a one-stop location for everything about a person. In many regards, email has become a single point of failure for an institution’s security. If a malicious user obtains access to an email account, they can not only access all the data in the mailbox, but also have the ability to get into connected accounts via tokens or password reset, and can send convincing emails to other people.
Google has made significant improvements in an administrator’s ability to train users and protect from sources that appear to be trusted that are in reality elaborate phishing attempts designed to trick users into compromising their accounts. Within the Safety section of Gmail’s settings, administrators can choose to display a banner when a potentially malicious message comes into their inbox.
Additionally, there are options to protect against attachments and scripts from Unknown Senders, Identify links hidden behind shortened URLs, as well as scanning images for possible hidden content. All this as a first line of defense against users granting access to their managed Google Workspace account.
But having settings configured is only that, a first line of defense. Teaching users to recognize the signs of malicious messages is another, and potentially more effective defense against these would be thieves. By training users on what to look for, we not only protect their managed accounts, but their personal accounts, and provide them with the tools to better educate students on the dangers that exist on the internet. With this in mind, Google has created a Phishing Test to not only see how well users can identify malicious messages, but also teach them in areas that they may fall short.
Another vulnerability users are susceptible to the reuse of passwords on other sites. Their password for their managed account should never be used on any other site, especially if they have used their Google Workspace email address as a point of contact. When you hear that a bunch of passwords were exposed in a hack, it was not due to a vulnerability exposed on Google’s site, but in one of these third-party sites. Google never stores or transmits your password in clear text.
Aside from encouraging users from not reusing their passwords, Google has developed a Chrome Extension that can be deployed to users that will prompt them to change their password if it detects that they have entered their Google Workspace password on a page outside of Google’s login pages. In addition to this Password Alert extension, an App Engine server can be configured to track offenses. Configuring and deploying the Password alert server helps mitigate exposure that is the result of human nature, and helps Admins identify those individuals that may need some additional training.
As always, secure passwords and 2 Factor Authentication (2FA) are another tool in our arsenal to prevent unauthorized access to accounts.
If you would like to know more on how to customize rules for your domain, contact us or visit our support page to find out other ways we can assist you with technical projects within your Google for Education environment.