How secure is Gmail?
The practical steps you should take to secure your Gmail account, from implementing 2FA to performing regular checkups
One of the biggest questions in the realm of information security centres on how secure Gmail is, and how much the platform respects user privacy.
Simply put, Gmail is as secure as the steps you take to secure your Google account, and your awareness of incoming risk, allow. As for privacy, it’s a little more complicated.
We break down how to secure your Gmail account, and the steps you can take to block email marketing trackers and bolster your privacy as much as possible.
For most, Google account security comes down to ensuring you use a unique and strong password, and whether or not you have two-factor authentication (2FA) in place.
Twitter recently published a transparency report that revealed only 2.3% of active accounts have 2FA enabled, and of those users the vast majority were employing SMS-based 2FA. That's the least secure option, but still better than nothing. Hardly anyone, 0.5%, was using a hardware security key, while under a third (30.9%) of responders used an authenticator app.
Google offers multiple types of 2FA. The first is by voice or text message, which we wouldn’t recommend as it's the easiest option for a cyber criminal to overcome thanks to the relative simplicity of a SIM-swap attack. It’s better than nothing, again, and most people won't enter the threat radar where such an attack is likely anyway.
The second option involves Google prompts being sent to another device you're signed in on. This avoids the SIM-swap vulnerability by requiring an attacker to be in possession of the device. There’s also the use of authentication codes churned out by Google Authenticator.
We recommend using both: one as your default and the other for those times when that option isn't available to you for whatever reason. You will also get a set of ten-digit single-use codes that you can store somewhere safe as another backup for signing into your account in an emergency.
The final option is the most secure, but can be expensive and more intrusive on the user experience: a security key. These keys are either of the hardware variety, such as a YubiKey or Google's own Titan key, but can also come built into your smartphone. The use of a security key is mandatory if you are enrolled in the Advanced Protection programme at Google, for accounts that are at a greater risk of targeted attack.
Consider how the Google ecosystem wraps multiple aspects of your online life by collecting all kinds of data – email, web, personal assistants, the list goes on – and that means access to your core account is a highly prized target for cyber criminals.
Access to your Google account gives access to Gmail, which gives access to password resets, which gives access to, well, almost everything.
Perform a security checkup
It's a good idea to perform a security check-up regularly, and Google makes that easy. Just visit the security section under manage your account: security-checkup. This lets you remove account access from non- essential apps. You should also keep your OS, browsers, and apps up-to-date and remove any browser extensions and apps you no longer use.
What about the privacy issue? There's functionality that’s one of the big draws for users; such as adding delivery confirmation email data to Google Calendar. So, how worried should you be? That depends on your aversion to the collection of such data and the importance of the functionality it enables.
Google will say, rightly, that what it collects is mostly metadata more than anything. What's more, Google will also assure users that, for example, the data found from those automated email scans isn't used for advertising purposes.
According to Google CEO, Sundar Pichai, "we don't sell your information to anyone, and we don't use information in apps where you primarily store personal content – such as Gmail, Drive, Calendar and Photos – for advertising purposes, period".
Moving to another email provider, such as Outlook.com, may not be the answer you're looking for either, as metadata collection and user activity data are employed almost universally. Sure, there are niche providers that are more privacy-focused, but you lose the type of cross-application functionality that drove you to Gmail in the first place.
The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks
Business benefits and cost savings enabled by IBM Turbonomic Application Resource ManagementFree Download
The Total Economic Impact™ of IBM Watson Assistant
Cost savings and business benefits enabled by Watson AssistantFree Download
The field guide to application modernisation
Moving forward with your enterprise application portfolioFree Download
AI for customer service
Discover the industry-leading AI platform that customers and employees want to useFree Download