Best Ways to Protect Your Google Apps Account from Being Hacked

We have seen an alarming increase in the number of Google Apps accounts that have been “hacked” across both our business and education customers. Securing your Google Apps account is crucial to protect your sensitive information and prevent unauthorized access.

Google Apps platform security is NOT the issue.  ALL of the hacked accounts are due to compromised user identities.

In every case we have encountered, the users have used their Google Apps email address and password with another service that has had a breach, or has had malware on their computer that provided username and password keystrokes to the hackers.

In both types of incidents, hackers then log in as the user and cause mayhem.

Essential Steps to Make Your Google Apps Account More Secure From Hackers:

1) Educate your users that they are not to use their Google Apps password for any other account not explicitly authorized. Users should also not use their Google Apps email address as the username for personal accounts with other services. It’s also critical to understand the risks of using third-party apps.

2) Check Your Systems for malware and make sure your endpoint protection is up to the task. If not, we recommend Webroot Endpoint Protection and Web Security Services (the link is to our edu site, but the service is available to business and government customers as well).

3)  Implement Two-Factor Authentication (2FA).  In business environments, users should be using 2FA to secure their accounts.  Implementation can be involved if you have other services linked to Google Apps, as you will need to generate service-specific passwords.

4) Use Strong Passwords: Create a strong, unique password for your Google account. Avoid using easily guessable information and include a combination of upper and lower case letters, numbers, and special characters.

5) Review Account Activity: Periodically review the recent activity on your account. Google provides a “Last account activity” feature that allows you to check for any suspicious login attempts.

6) Check Account Permissions: Regularly review the apps and services that have access to your Google account. Remove access for any applications or devices that you no longer use or trust.

7) Beware of Phishing Attempts: Be cautious of phishing emails or websites that attempt to steal your login credentials. Always verify the authenticity of emails and URLs before entering your Google account information.

In education environments, 2FA is not practical for all users, as students and many faculty members may not have mobile devices available to access the Authenticator.  For schools, we recommend any user with partial or full administrative privileges have 2FA active.

FAQs About Keeping Your Google Account Safe from Hackers

Activating 2FA is covered by our support agreements.

For customers and others without support agreements, mention this blog post and we will discount our hourly support fee by 10%; W

We will discount Webroot deployment fees by 50%.  

Both offers expire on December 31, 2014.

Please contact our Service Desk for 2FA assistance; contact Sales regarding Webroot.


Moving to the Cloud: Security


Green_GaugeThis post is the first in a series addressing concerns organizations may have that prevent them from moving the cloud-based solutions.

At some point in the evaluation and decision process, the issue of security comes to the forefront as organizations look at cloud computing.  Vendors and resellers, like Cumulus Global, often provide two answers — both of which are correct:

  1. Cloud computing providers need their environments to be secure, and they invest time and money on security.  Most cloud providers deliver environments and systems that are significantly more secure than their customers could provide for themselves.
  2. Standard cloud security may not be sufficient to meet specific business needs.  Just as they would with in-house systems, cloud computing customers should be prepared to add additional security services to meet business requirements such as HIPAA, SEC, FINRA, and PCI compliance.

As a first step, organizations moving to the cloud should review the security capabilities of their solution provider.  Beyond the technology, look for certifications such as SSAE-16 Type I and II, ISO 27001, and FISMA.  Make sure that the provider’s security practices are reflected in their terms of service, contracts, and service level agreements.  Finally, verify if and how you can add security capabilities to meet business or industry requirements.

With a reasonable level of due diligence and planning, cloud solutions can overcome any security concerns.

Next Post in the Series: Moving to the Cloud: Cost Savings