October 8, 2020

BYOD – The Google Workspace Features That Ensure Device Security

Remote working and BYOD (Bring Your Own Device) approaches are now the norm throughout society. This means employees using their personal devices to work and access corporate data.

Whilst an excellent display of resourcefulness and resilience in current tough times; for IT managers operating with outdated IT solutions, this could be a cause for major concern. How could they keep company data safe with various device types and software versions being used? A one-size-fits-all approach to Device Management was no longer possible. 

Luckily, this is a worry that Google Workspace (Formerly known as G Suite) users need not have. Here at Cobry, we can aid you in implementing Google's security features that ensure your Google Workspace data is completely safe - even when operating with a BYOD strategy. Let’s take a look at them now. 


Google Endpoint Management for BYOD Devices

Endpoint Management for BYOD Devices

Google Endpoint Management ensures a secure BYOD approach by applying a base level of security to every device (Corporate and BYOD) that accesses Google Workspace (Formerly known as G Suite) data. IT managers can support a variety of device models (mobile and desktop) by requiring minimum software versions and refusing the use of jailbroken or rooted devices. 

When a device logs into a Google Workspace account through any browser on a Windows, Mac, Chrome or Linux device, it is automatically enrolled with Endpoint Management. This gives IT admins access to valuable information such as the device type, operating system, and its first and last sync to the admin console. 

This data aids admins in making more informed decisions around Device Management and security. Moreover, it provides a clear understanding of all of the devices that are accessing corporate information. By enrolling in Endpoint Management, Cobry can aid you in taking important remedial action if a device has been lost, stolen or compromised. For example, we can remotely log users out from devices and wipe compromised Google accounts.

So, no matter the device type and no matter the operating system; Endpoint Management gives you the information needed to effectively manage a BYOD approach. 

Device Management for BYOD Mobile Devices

If use of mobile devices is part of your organisation's BYOD approach, Google Workspace still has you covered. Google offers two solutions for mobile Device Management - Basic and Advanced.

Mobile Device Management

Basic Mobile Device Management ensures BYOD mobile devices are secured with baseline security features. With this feature, it is possible to:

  • enforce passcodes 
  • Remotely wipe Google data 
  • Receive device inventory 
  • Remotely force install applications on android devices

Using Advanced Mobile Device Management, it is possible for:

  • IT admins to apply additional controls over BYOD devices
  • Android users to use Android Profiles which keep their work and private data separate on the same device

Context-aware Access on BYOD Devices

Context-aware access uses information such as user identity, location, device security status and IP address to grant (or deny) access to Google Workspace services. This means that Google Workspace services - and data that may be stored there - are protected against unauthorised access without the need for a VPN. 

Cobry can help you make the most out of Context-aware Access by administering different levels of access depending on user attributes. For example, on BYOD devices, controls can be put in place to increase security levels such as encryption and password requirements to access various Google Workspace services. 

Therefore, through knowledge of these attributes, you can give access to the right BYOD devices and reject access requests from unwanted devices.

Context Aware access on BYOD Devices

App access control on BYOD Devices

App Access Control allows IT admins to protect corporate and BYOD devices from malicious app attacks. IT admins have full control over which third party apps are allowed to access Google Workspace data. This means they can choose to trust, limit or block access for particular apps. So, even when implementing a BYOD strategy, rest assured that important company data will remain in safe - and the correct - hands.

BYOD 2-Factor Authentication

2-Factor Authentication for BYOD Devices

2-Factor Authentication (2FA) ensures a secure BYOD strategy by requiring additional proof of identity before accessing a Google Workspace account. Step 1 includes the provision of user-sensitive information such as a password. Step 2 requires that the user use something they have to gain access. For example, an access code delivered to a different device via text message, or a third party app such as Google Authenticator. This ensures that even if a BYOD has been compromised, Google Workspace data will remain secured.

Google also offers its Advanced Protection Program to those most at risk of being targeted by online attackers. The Advanced Protection Program goes beyond 2FA by requiring the use of a physical Security Key when logging on from a new device. This means that attackers will be unable to access the Google Workspace account, even if a password has been compromised.

When being used on Google Chrome, files are automatically scanned and users are warned of potentially harmful downloads. Additionally, it blocks access from untrusted apps and provides enhanced scanning for email threats. 

Harmful file scan

Data Loss Prevention 

Data loss prevention (DLP) helps to protect information held in Google Drive, Docs, Sheets, Slides and Gmail from being lost, deleted or misused. Cobry can aid you in setting policies that specify which types of data are sensitive and how they should be protected. Therefore, you can be certain that your organisations important data will always be safe.

We can also enable Data Exfiltration Protection (DXP) on iOS devices to prohibit copying and pasting Google Workspace data to other accounts. It restricts the ability to drag and drop files from specific apps within users’ Google Workspace accounts. Meanwhile, on Android devices, it is possible to prevent data sharing between profiles by using Google Endpoint Management. 

Retention and eDiscovery with Vault 

Finally, Vault enables corporate data accessed by BYOD or corporate owned devices to support the organisation's retention and eDiscovery needs. This means that you can be assured data is always accessible to Vault, even on BYOD devices.


Thanks to these great features, Google Workspace users need not fret over BYOD security. No matter the device type or system, whether is corporate-owned or BYOD; enabling these features will ensure your organisations important data is always secured. Just what we all needed to hear as we embark on the coming months of remote working!

Want to know more about how Cobry can help you keep your organisation safe? Book a Discovery Call to chat to us now.

March 9, 2020

Security & Compliance in The Cloud

Security & compliance is higher up on organisations' agenda than ever before and it’s not surprising. The five main trends identified by the National Cyber Security Centre in the period between October 2018 and April 2019 highlighted 5 main areas of vulnerability.

Incident trends

There has been significant use of tools and scripts to try and guess users’ passwords. This has almost become the daily norm for Office 365 deployments with attacks now being mounted at scale across the Internet without ever having a foothold within the corporate infrastructure. 

A successful login will give access to corporate data stored in all Office 365 services. For example, both SharePoint and Exchange can be compromised, as well as any third-party services an enterprise has linked to Azure AD.

Password spraying

The most common attack affecting Office 365 is password spraying, which attempts a small number of commonly used passwords against multiple accounts over a long period of time. In most cases, attackers aren’t after just one specific account. This doesn’t tend to trigger account lockouts because the limit of failed attempts is not reached, and as a result this can make it much harder for IT security teams to spot them.

A recent report stated that 60% of Office 365 and G Suite tenants were targeted with IMAP-based password-spraying attacks. However, it's important to note that G Suite administrators can disable IMAP connectivity, mitigating the risk to their G Suite users.

Credential stuffing

On a smaller scale, we have also seen credential stuffing. This takes pairs of usernames and passwords from leaked data sets and tries them against other services, such as Office 365.

This is difficult to detect in logs as an attacker may only need a single attempt to successfully log in if the stolen details match those of the user's Office 365 account.

Similarly to password spraying, this targeted method can be combatted by disabling IMAP connectivity within G Suite.

Ransomware

Ransomware attacks prevent organisations from using their computers or accessing their data, typically by encrypting files and folders. Once this hold is in place, the hackers request payment to release the organisation’s data and allow them to get back to work. 

It’s important to note, however, that no Google file formats can be affected by this as they are not traditional files like Word or Excel, they are in fact web files with no physical storage location. This means that organisations that use G Suite and store their files within Google Drive are instantly protected from ransomware attacks without having to shell out huge amounts of money on additional security products.

Email Protection

Gmail has long since been the standard-bearer for security & compliance around email through anti-phishing measures and high levels of spam protection for users. This has covered for the most part both consumer and G Suite users. 

Confidential Mode - users can help protect sensitive information from unauthorised access using Gmail confidential mode. Recipients of messages in confidential mode don't have the option to forward, copy, print, or download messages, including attachments. Users can set a message expiration date, revoke message access at any time, and require an SMS verification code to access messages.

Data Loss Prevention (DLP) -  analyses the files in your organization’s Team Drives for sensitive content. You can set up policy-based actions that will be triggered when any sensitive content is detected.

Gmail Security Sandbox - a sandbox detects the presence of previously unknown malware in attachments by virtually "executing" them in a private, secure sandbox environment, and analyzing the side effects on the operating system to determine malicious behaviour.

Staff Training

All businesses need to be proactive in training their staff for GDPR. When new staff members come on board, they should receive data management training, and all members of the team should understand how your business specifically uses data. 

Allied to that, IT partners such as Cobry should be engaged to teach best practices within the organisation through training sessions, either in person or through webinars. 

2SV

One of the most effective ways to protect yourself from being hacked is 2SV.

There are multiple 2SV methods, including SMS Text, Google Prompts on mobile devices, and physical USB Security Keys.

Using 2-Step Verification (2SV) provides users with a better option to secure their accounts. As well as 2SV over an encrypted connection, users can also block unauthorised access to their accounts with Google Prompt which delivers real-time prompts, telling the user when they have logged into another device.

This update comes through as a pop-up notification on the Google app. This allows users to answer “yes” or “no” when asked, “are you logging in?”

Allied to that, additional control can be gained from deploying Cloud Identity. For full details please click here.

How Cobry Helps

One of the most comforting services Cobry offers is a full Security & Compliance Review. 

This can give you valuable insight into your organisation's security & compliance setup. You can find out more here, and you can also get in touch via the button below.

August 14, 2019

G Suite FCA Compliance

Financial Companies Seize Path to the Cloud

When Board meetings within the Financial Services sector start addressing the subject of migrating to the Cloud you can be sure that this technology has matured to provide a credible improvement on legacy infrastructure. So much so, that we have recently helped multiple financial companies gain FCA approval by leveraging the powerful security features within G Suite.

Highly regulated companies such as HSBC, ABN Amro, Allianz and Paypal have all taken the plunge and invested in Google Cloud & G Suite FCA compliant tools.

What did these companies consider in this process though and how can it be applied to yours?

Securing company data

Unfortunately, it is almost impossible to prevent your employees’ mobile devices being lost or getting stolen from time to time. When these incidents occur it does not have to be such a worry.

G Suite keeps your company’s data secure with mobile device management (MDM) policies. With basic management, you can ensure that mobile devices require screen locks and/or strong passwords on your employees’ devices, keeping your corporate data secure. In addition, G Suite allows you to erase confidential business data with device wipe, or selected account wipe for Android or iOS. You can see the list of devices that are accessing corporate data in the Google Admin console.

G Suite's Mobile Device Management means that you can manage, secure and monitor all mobile devices that are in your organisation. It is possible to manage a range of devices, including phones, tablets, and even smartwatches. People are still able to use their own personal devices for work (BYOD) as you will be able to wipe their corporate accounts on their devices, should the worst happen.

So, how does G Suite protect my data?

When you decide that you would like to store your data with G Suite, it is then protected in a number of different ways. This includes advanced phishing detection with the aid of machine learning, authentication with security key enforcement and also prevention of data leakage.

Due to G Suite being a 100% cloud-based system it means you can be protected from attacks such as Ransomware, viruses, and malware. There is no need to install a separate system for spam processing because Gmail uses Machine Learning to automatically filter any spam and to scan all emails for suspicious and dangerous content.  The G Suite administrator can also control all attachments sent and received by your organisation so that nobody opens or sends anything that they shouldn’t.

Other security-centric features include:

  • Confidential Mode - users can help protect sensitive information from unauthorised access using Gmail confidential mode. Recipients of messages in confidential mode don't have the option to forward, copy, print, or download messages, including attachments. Users can set a message expiration date, revoke message access at any time, and require an SMS verification code to access messages.
  • Data Loss Prevention (DLP) -  analyses the files in your organization’s Team Drives for sensitive content. You can set up policy-based actions that will be triggered when any sensitive content is detected.
  • Gmail Security Sandbox - a sandbox detects the presence of previously unknown malware in attachments by virtually "executing" them in a private, secure sandbox environment, and analyzing the side effects on the operating system to determine malicious behaviour.

2 Factor Authentication keeps your data secure  

Using 2 Factor Authentication (2FA) provides users with a better option to secure their accounts. As well as 2FA over an encrypted connection, users can also block unauthorized access to their accounts with Google Prompt that delivers real-time prompts, telling the user when they have logged into a device.

This update comes through as a pop-up notification on the Google app. This allows users to answer “yes” or “no” when asked, “are you logging in?”

Allied to that, additional control can be gained from deploying Cloud Identity. For full details please click here.

Automatic rules ensure G Suite FCA compliance

There are now new device rules for Device Management, which allows G Suite admins to define custom rules that create triggers for certain actions or events. For example, if something occurs on one of your company’s devices that’s been specified in a custom rule, the corresponding action that’s been set will automatically be carried out. Some of these rules include;

  • Approve select mobile devices when the device is enrolled.
  • Block access to corporate data if a specific app is installed.
  • Block access to account/wipe the device if the user has more than 5 failed screen unlock attempts.
  • Block access to/wipe the account if there is suspicious activity found on the device.

3rd Party App Control

Google can also protect your data against phishing attacks. Google provides 3rd party control with OAuth apps whitelisting. This gives your company extra control over 3rd party applications that have access to your data. It is now possible for admins to specifically select which apps can have access to which users G Suite data. This keeps your data safe as it is ensuring that your users don’t accidentally grant access to apps that may be malicious.

Google Cloud & G Suite FCA Accreditations

As if that wasn’t enough, Google Cloud Platform has been awarded independent security standards including ISO27001 and ISO27017 (see the full list here)

And finally a quote from the CIO of HSBC -

“We have peace of mind knowing that Google Cloud takes security and compliance very seriously”

Group CIO, HSBC (2018)

Contact Us

We are always happy to talk through your requirements here at Cobry, and we may even be able to give you a free IT security checkup in the process to help you with your G Suite FCA compliance!

© Cobry Ltd, 24 Sandyford Place, Glasgow, Scotland, UK, G3 7NG - 0333 789 0102 | Privacy Policy