The Cybersecurity Tools Hidden in Google Workspace

Improving your cybersecurity posture doesn’t require significant investment. There are ways businesses can improve their posture by using features in the software platforms they already own, like Google Workspace, which includes a wide range of security features within its core products. For business owners and IT specialists looking to bolster their defenses, learning how to use these built-in tools could be a cost-effective way to enhance their security posture and avoid a harmful cybersecurity incident.

From Gmail’s AI-powered malware scanning to the Security Checkup feature that continuously audits your account’s safety, here’s how the security built into Google Workspace can help ensure that your company’s communications and data remain uncompromised.

Gmail Malware Scanning

By default, Gmail’s malware scanning process employs a combination of machine learning, behavioral analysis, and AI-driven threat detection to identify and block malware. Here’s what that means:

• AI-Powered Data Loss Prevention (DLP): Google Workspace can automatically detect and redact sensitive data, including personally identifiable information (PII), before it is shared externally or fed into public AI models. This has become a critical safeguard, as 55% of AI inputs now contain sensitive information. DLP policies work silently in the background, preventing costly data leaks without disrupting your team’s workflow.
• Behavioral Modeling for Phishing: Gmail now uses behavioral AI to detect sophisticated attacks that lack traditional red flags like typos or suspicious formatting. This includes “ClickFix” attacks, where users are socially engineered into running malicious commands, and highly convincing AI-generated fraud emails. Rather than relying on known patterns, Gmail’s behavioral models flag anomalies in how messages are constructed and how links behave before a user ever interacts with them.
• Heuristic Analysis: Heuristics are like signatures, but focused on how software behaves. Gmail analyzes email attachments for traits common to known malware or unusual activity that could signify a new, unknown threat. Executable files, for instance, are scrutinized closely because they contain code that can launch potentially harmful programs.
• Machine Learning: Gmail has continuously improved its filtering and detection systems by learning from prior scans and user feedback. This ongoing learning helps Gmail recognize evolving malware threats, including zero-day attacks that have never been seen before.
• Sandboxing: Gmail uses an advanced technique called sandboxing for high-risk attachments. Sandboxing opens the attachment in a secure, isolated environment within Google’s servers to monitor its behavior, helping to identify harmful actions such as downloading malware or connecting to suspicious servers.

Attachment Restrictions

Gmail blocks certain files that are commonly used to deliver malware, including executable files (.exe, .dll), scripts (.bat, .cmd), and archive files that may contain harmful content, such as password-protected .zip files or compressed executables. When a potentially dangerous attachment is detected, Gmail prevents the user from downloading it and displays a warning message explaining why the file was blocked.

Safe Browsing Integration

Gmail’s security checks are integrated with Google’s Safe Browsing technology, which identifies unsafe website addresses. If a message contains a link known to lead to malicious websites, Gmail will display a warning or prevent the message from being received.

Google Security Checkup 

Google’s Security Checkup has evolved from a manual audit into a proactive, AI-driven recommendation engine. Rather than simply listing account settings for you to review, it now actively surfaces risks — such as unusual login patterns, high-risk third-party app permissions, and configuration issues that may have drifted out of compliance over time — and tells you exactly what to do about them.

This matters because of a growing challenge called configuration drift: security settings that were correct when first established can quietly become ineffective as your tools, team, and threat landscape change. Regular, proactive reviews are no longer optional — they’re essential.

What is Covered in a Google Security Checkup?

• Recent Security Events: This section shows all security-related changes to your profile so you can quickly verify the ones you authorized and flag the ones you didn’t. AI-powered anomaly detection now highlights login attempts or access events that fall outside your normal patterns.
• Third-Party Access: Google lists all external applications and services that have access to your account, including apps connected to your Google Drive, Gmail, and other Workspace services. The Security Checkup now flags high-risk permissions automatically, making it easier to revoke access to apps that are unnecessary or potentially compromised.
• Your Devices: The checkup shows a list of devices that have accessed your Google account, helping verify that all of them belong to your company or have been used by authorized personnel. Unrecognized devices can be signed out immediately.
• Sign-In and Recovery: This section prompts you to keep recovery information, like phone numbers and backup email addresses, current. Accurate recovery details are crucial for regaining account access after a lockout and for receiving critical security alerts.
• Passkeys and Authentication: The Security Checkup now assesses whether your accounts are protected by Passkeys. By 2026, Passkeys using biometrics (fingerprint or Face ID) have become the standard for account authentication, replacing traditional SMS-based multi-factor authentication (MFA). Unlike SMS codes, Passkeys are cryptographically bound to your device and cannot be phished, making them significantly more secure.

How to Conduct a Security Checkup

Follow these simple steps to begin:

1. Go to the Google Account page (myaccount.google.com).
2. Click on the Security tab on the left-hand side.
3. Look for the Security Checkup section and click Get Started to begin the guided process.

A best practice is to set up a routine (monthly or quarterly) checkup on all business-related Google accounts. Security is not a one-time configuration; it requires continuous review. Train your team on the importance of these checks, the kinds of issues they’re looking for, and how to address them.

Gemini for Security: AI That Works for You

Gemini is Google’s AI built directly into security workflows. Here are three high-value ways to use Gemini for security:

• Translate security logs into plain English. Security logs are notoriously difficult to read. Gemini can interpret them and explain what happened, who was involved, and whether action is needed, without requiring specialized training.
• Audit your environment with natural language. Ask Gemini questions like “Show me all files shared with external users this week” or “Which third-party apps have access to sensitive Drive folders?” and get immediate, actionable answers. This turns what used to be a time-consuming manual process into a conversation.
• Get guided response actions. When threats are detected, Gemini can recommend clear, prioritized next steps, for example, flagging suspicious files accessed at unusual hours and walking you through exactly what to do about them. This helps your team respond faster and more confidently, without needing dedicated security expertise.

Advanced Protection Program 

Google’s Advanced Protection Program (APP) is the company’s strongest security offering for users at a higher risk of targeted online attacks. Small business owners, IT specialists, and individuals with significant business or personal data online can benefit from the additional layers of security APP provides. The program is built to defend against phishing and account hijacking, and it provides extra protection for data stored in Google services.

Advanced Protection Program Features

• Stronger Account Verification: Google mandates the use of FIDO-compliant security keys under the program. These can be dedicated physical devices (such as a USB or NFC key) or, increasingly, a user’s own mobile device, which can serve as a built-in FIDO-compliant security key. This flexibility has made APP more accessible while maintaining its strong security guarantees.
• Restricted Third-Party Access: APP severely limits which third-party apps can access your Google account data. Only Google apps and selected third-party apps that meet Google’s security standards can access sensitive Gmail and Drive data, reducing the risk of data being exposed through compromised integrations.
• Enhanced Scanning for Email Threats: APP subscribers benefit from Google’s most stringent email scanning protocols, including the behavioral AI and DLP capabilities described above. Gmail will automatically perform additional checks to block phishing attempts and prevent malicious content from reaching the inbox.

How to use Google’s Advanced Protection Program

To safeguard your sensitive information, follow these steps to use Google’s Advanced Protection Program effectively:

Enrollment

1. Acquire a Security Key: Users must obtain two FIDO-compliant security keys: one primary and one backup. Options include Google’s own Titan Security Key, third-party hardware keys, or using a compatible mobile device as a built-in key.
2. Enroll in the Program: Visit Google’s Advanced Protection landing page and sign in with the account you want to protect. Follow the on-screen instructions to register your keys.

Post-Enrollment Adjustments

• Review Device Access and Third-Party Apps: Inspect the generated list and ensure that all devices and third-party applications accessing the account are known and trusted. Remove those that are unknown, unnecessary, or not compliant with company policies.
• Integrate With Business Infrastructure: Use your Admin console to ensure APP works alongside any other security measures, software, or systems already in place.

Cybersecurity can seem daunting and costly, but it doesn’t have to be. Google Workspace comes with a robust array of security features — powered increasingly by AI — that protect at no additional cost. These tools are designed to integrate seamlessly into your everyday workflow, and they continue to improve as threats evolve. The key is to engage with them actively: review settings regularly, adopt Passkeys, and take advantage of Gemini’s AI capabilities to stay one step ahead.

Enhance With Stance

The tools and services above offer a solid way to strengthen your Google Workspace. However, cyber threats evolve rapidly, making it challenging for any business to stay ahead of cyber criminals. At-Bay Stance™, which is included with your At-Bay policy¹, is an AI-powered unified security platform that’s purpose-built to protect your whole IT environment. With two clicks, it can be integrated into your Google Workspace and keep an eye on vulnerabilities so you can focus on your business. 

Already an At-Bay policyholder? Log in to Stance and connect your Microsoft 365 account.

Want to take your security even further? At-Bay Stance Managed Detection & Response (MDR) protects your entire IT environment by combining enterprise-grade technology with 24/7 monitoring by At-Bay security experts. Learn more about Stance MDR or contact our team at security@at-bay.com.

The above tools are meant to provide basic security enhancements but do not replace enterprise-grade security tools such as EDR, MDR, and email security platforms.  

Higher licensing may be required for some of the features listed in this article.

¹ Access to At-Bay Stance is available to policy holders purpose-built via the Embedded Security Fee and Endorsement. Refer to the policy form for additional information. At-Bay Stance MDR is an optional service available for purchase from At-Bay’s security affiliate, At-Bay Security, LLC, and is not a requirement for insurance coverage through At-Bay, and is not limited to At-Bay policyholders.