How secure is Gmail?
The practical steps you should take to secure your Gmail account, from implementing 2FA to performing regular checkups
One of the biggest questions in the realm of information security centres on how secure Gmail is, and how much the platform respects user privacy.
Simply put, Gmail is as secure as the steps you take to secure your Google account, and your awareness of incoming risk, allow. As for privacy, it’s a little more complicated.
We break down how to secure your Gmail account, and the steps you can take to block email marketing trackers and bolster your privacy as much as possible.
For most, Google account security comes down to ensuring you use a unique and strong password, and whether or not you have two-factor authentication (2FA) in place.
Twitter recently published a transparency report that revealed only 2.3% of active accounts have 2FA enabled, and of those users the vast majority were employing SMS-based 2FA. That's the least secure option, but still better than nothing. Hardly anyone, 0.5%, was using a hardware security key, while under a third (30.9%) of responders used an authenticator app.
Google offers multiple types of 2FA. The first is by voice or text message, which we wouldn’t recommend as it's the easiest option for a cyber criminal to overcome thanks to the relative simplicity of a SIM-swap attack. It’s better than nothing, again, and most people won't enter the threat radar where such an attack is likely anyway.
The second option involves Google prompts being sent to another device you're signed in on. This avoids the SIM-swap vulnerability by requiring an attacker to be in possession of the device. There’s also the use of authentication codes churned out by Google Authenticator.
We recommend using both: one as your default and the other for those times when that option isn't available to you for whatever reason. You will also get a set of ten-digit single-use codes that you can store somewhere safe as another backup for signing into your account in an emergency.
The final option is the most secure, but can be expensive and more intrusive on the user experience: a security key. These keys are either of the hardware variety, such as a YubiKey or Google's own Titan key, but can also come built into your smartphone. The use of a security key is mandatory if you are enrolled in the Advanced Protection programme at Google, for accounts that are at a greater risk of targeted attack.
Consider how the Google ecosystem wraps multiple aspects of your online life by collecting all kinds of data – email, web, personal assistants, the list goes on – and that means access to your core account is a highly prized target for cyber criminals.
Access to your Google account gives access to Gmail, which gives access to password resets, which gives access to, well, almost everything.
Perform a security checkup
It's a good idea to perform a security check-up regularly, and Google makes that easy. Just visit the security section under manage your account: security-checkup. This lets you remove account access from non- essential apps. You should also keep your OS, browsers, and apps up-to-date and remove any browser extensions and apps you no longer use.
What about the privacy issue? There's functionality that’s one of the big draws for users; such as adding delivery confirmation email data to Google Calendar. So, how worried should you be? That depends on your aversion to the collection of such data and the importance of the functionality it enables.
Google will say, rightly, that what it collects is mostly metadata more than anything. What's more, Google will also assure users that, for example, the data found from those automated email scans isn't used for advertising purposes.
According to Google CEO, Sundar Pichai, "we don't sell your information to anyone, and we don't use information in apps where you primarily store personal content – such as Gmail, Drive, Calendar and Photos – for advertising purposes, period".
Moving to another email provider, such as Outlook.com, may not be the answer you're looking for either, as metadata collection and user activity data are employed almost universally. Sure, there are niche providers that are more privacy-focused, but you lose the type of cross-application functionality that drove you to Gmail in the first place.
ZTNA vs on-premises VPN
How ZTNA wins the network security gameFree Download
The global use of collaboration solutions in hybrid working environments
How companies manage security risksFree Download
How to build a cyber-resilient business ready to innovate and thrive
Outperform your peers in your successful business outcomesFree Download
Accelerating your IT transformation
How Cloudflare is innovating for CIOs to start 2023Watch now