The majority of small business data now lives in Google Workspace or Microsoft 365. These platforms are secure by design — but the default configurations are not optimized for security. This guide walks you through the specific settings you need to configure to properly secure your cloud environment.
Why Cloud Security Configuration Matters
The most common small business cloud security incidents involve: compromised accounts (an employee’s credentials are phished, giving attackers full access to email, Drive/OneDrive, and every shared document), overshared data (files shared publicly or with anyone-with-the-link, exposing confidential documents), third-party app abuse (malicious or insecure apps granted excessive permissions), and shadow IT (employees using personal accounts to store company data).
Google Workspace Security Configuration
Two-step verification enforcement: Admin Console → Security → Two-step verification. Set enforcement to ON for all organizational units. Set new user enrollment period to 1 week.
Session management: Set re-authentication time to 8 hours for standard users and 2 hours for admin accounts.
Less secure app access: Set “Disable access to less secure apps” to ON for all users. This blocks apps using basic username/password authentication to access Google services.
Third-party app access: Security → API controls → Manage third-party app access. Review all authorized apps — remove any that are unused or have excessive permissions.
Google Drive sharing: Admin Console → Apps → Drive and Docs → Sharing settings. Set sharing outside your domain to “Allowed with warning.” Set default link sharing to “Restricted” (only specific people). Audit existing shared files quarterly using Google Drive Audit (Admin → Reports → Audit → Drive events) to find files shared publicly.
Microsoft 365 Security Configuration
Multi-factor authentication: Azure Active Directory → Security → MFA. Enable Security Defaults (provides MFA and blocks legacy authentication) or use Conditional Access policies for more granular control.
Disable legacy authentication: Legacy authentication protocols (basic auth SMTP, POP, IMAP) cannot enforce MFA. Block via Conditional Access policy or by enabling Security Defaults.
Microsoft Defender for 365: Enable Safe Links (rewrites URLs in email to check against threat intelligence before the user clicks), Safe Attachments (detonates email attachments in a sandbox before delivery), and anti-phishing policies with impersonation protection for your key executives.
Microsoft Secure Score: Review your Secure Score in the Microsoft 365 Defender portal. Work through the recommendations prioritized by impact score. This is the single most actionable dashboard for Microsoft 365 security posture.
OneDrive and SharePoint sharing: Microsoft 365 Admin Center → SharePoint → Policies → Sharing. Set OneDrive external sharing to “Existing guests” or “Specific people” — never “Anyone.”
Monthly Cloud Security Maintenance
Review admin accounts and roles — no unnecessary admin privileges. Audit third-party app authorizations — revoke unused apps. Review external sharing reports — no files shared more broadly than intended. Check Microsoft Secure Score or Google Workspace Security Health for new recommendations. Review sign-in logs for suspicious activity — logins from unusual locations or devices.
Get a professional assessment of your SMB cloud security configuration and full attack surface with an SMB Security Health Check — delivered in 48 hours for $17.