No great surprise, then, that Gmail is also a favored target of malicious actors. Unlike your business email, personal Gmail accounts tend to stay in use for years; it was launched in 2004. This creates a treasure trove of valuable data that can be used by hackers to launch ongoing attacks. Business email accounts also tend to be better secured than personal ones by default. And then there’s the not-so-small matter of password reset requests that usually default to your email. So, it doesn’t take a cybersecurity genius to calculate the impact of your Gmail account being compromised. In order to access your Gmail, threat actors need to compromise your Google account. Here’s how to stop them.
How to secure your Gmail account against hackers
But it’s not all bad news as it’s pretty damn easy to protect your Google account and, by extension, your Gmail account, at least as well as anything that can be secured. All you need to do is take Gmail security seriously, and I’m here to explain how.
For most people, most of the time, Google account security comes down to two things: login credentials and two-step verification.
1. Ensure you have a unique and strong password. As I always say at this point, a password manager is your friend, both in creating that password and when required to use it.
2. Ensure you have two-step verification enabled for your Google account. You may have already been prompted to do this as Google has been ramping up a ‘default to enable’ program since the end of last year.
Two-Step Verification is your Google account friend, so use it
Google offers multiple secondary verification options, the most convenient being a Google prompt to a different device than the one you are using to sign in. So, if you are on your laptop, it would go to your phone and vice versa. Add an authentication app, Google Authenticator being the default, but you can use Authy or similar as a backup. Talking of which, make a note of your backup codes in case of failure elsewhere. These can be stored in your password manager, for example.
The most secure form of secondary verification is using a security key, and Google offers this option as well. Google sells its own brand, or you can use YubiKey. If you enroll in the Advanced Protection Program, suggested for high-value accounts such as journalists, activists, and the like, then the use of such a key is mandatory.
Google account security checkup
So, those are the givens. However, there are lots more layers that can be added to your Gmail security cake. The first of encompasses which what’s already been stated but goes further, yet only takes a few minutes of your day. I’m talking about a Google account security checkup. Doing so will pop up recommended security actions based on your existing settings, show you what devices have logged into your account, from where and when, detail those apps you’ve given access to your account, and offer the chance to revoke any you no longer use or don’t recognize, and highlight any ‘sensitive’ Gmail settings you are using.
It really is a one-stop security checklist shop and I highly recommend spending some time doing it. The part that shows devices that have logged in to your account is beneficial for flying bright red flags regarding the security and privacy of your Gmail account. It will show you when the device logged in, the type of device, and where it was located. The latter not being as helpful as the former, thanks to being so easy to fake.
Think outside the Google box for better security
It would help if you also thought outside the Google box a little. By which I mean that your operating system is fully patched with the latest security updates. Ditto for your web browser of choice and any third-party apps you use in conjunction with Gmail. It’s also recommended that you regularly audit your browser extensions and app, deleting those you no longer use.