It’s Not All or Nothing: How Nonprofits Can Secure Google Workspace
“Should we just leave Google?”
It’s a question we hear again and again.
For many nonprofits, Google Workspace is mission‑critical. It’s where staff email, collaborate on grant proposals, manage sensitive documents, and share information with partners and communities. And because of this, it’s also where a growing amount of organizational risk lives.
It’s an understandable question, especially for organizations doing advocacy work, supporting vulnerable populations, or operating in politically sensitive environments. But for most nonprofits, a full exit from major platforms like Google Workspace isn’t possible or realistic. In many cases, departing from Google products can make an organization’s security posture worse.
What is realistic is what we call the happy middle: staying on Google Workspace while significantly reducing risk from hackers and limiting exposure to government overreach.
Why Leaving Google Often Backfires
In theory, moving entirely to self‑hosted or privacy‑focused tools offers maximum control. In reality, it usually introduces new problems:
Self‑hosting requires infrastructure, maintenance, and constant patching
Under‑resourced teams struggle to keep systems secure over time
Staff bypass clunky tools by creating extra personal Gmail or Dropbox accounts
Sensitive data spreads into areas IT can’t see or protect
This phenomenon, called shadow IT, is one of the fastest ways to lose control of organizational data, and it is a mess to clean up and control. A poorly secured self‑hosted platform, coupled with widespread workarounds is almost always riskier than a hardened, well‑managed Google Workspace.
Cyber Security Is a Spectrum
Think of your options on a spectrum. On one end, we have the status quo where the organization continues to operate with no changes. Though this is the cheapest option, it’s also leaves data completely exposed. On the other end, we have full migration to a self-hosted solution, but this requires significant IT know-how and ongoing support. This option may be the best for large organizations with substantial funding that handle extremely sensitive information. It’s generally not achievable or advisable for small organizations without budget.
For most organizations, staying on Google Workspace is realistic. It’s what staff knows. The Happy Middle offers impactful protections are achievable today, often without disrupting staff workflows.
Start With Easy Wins
Start here. These changes can help dramatically reduce the organization’s risk from common cyber attacks. Staff won’t feel these admin-side changes in their day-to-day work.
1. Mandate Multi‑Factor Authentication
This is the single biggest security improvement your organization can make.
Mandating multi-factor authentication (MFA) for all users makes accounts vastly harder to compromise. In fact, accounts with MFA enabled are 99% less likely to be compromised, according to CISA.
Start by setting up MFA for account admins, which are the most important accounts to protect. If a hacker compromises an admin account, they have the keys to the entire organization.
Here’s how to set up MFA
Go to the Admin Console > Security > Authentication > 2-Step Verification
You can enforce (not just allow, which can be turned off) MFA for the entire organization.
One thing to note: Push notifications, passkeys, or hardware security keys are far stronger than SMS codes and should be prioritized. Turn off SMS.
Next, prepare the entire organization. Communicate clearly with staff about how to use MFA through a straightforward how-to guide or a 15-minute help session, and give them a date for when MFA will be officially rolled out.
Mandating MFA takes minutes to configure and is available on all Google Workspace plans, including the free nonprofit membership. Most people already use MFA on their banking apps or websites, so this transition should be relatively smooth.
2. Lock Down Email Impersonation with SPF, DKIM, and DMARC
Without proper email authentication, attackers can send messages that look like they came from your organization to donors, partners, or staff. Implementing these protocols is a proactive step towards safeguarding the organization’s email domain, protecting your reputation, and ensuring trustworthiness of its email correspondence.
What does that look like in practice? Configuring SPF, DKIM, and DMARC:
Prevents domain impersonation and phishing
Protects donor trust
Improves newsletter and fundraising email deliverability
This is admin‑only work and does not affect the workflow of staff. Staff won’t notice, except when emails stop landing in spam.
3. Close Quiet Backdoors
These changes reduce unseen entry points attackers frequently exploit. A few quick checks go a long way:
Disable Less Secure App Access: Blocks apps that bypass modern authentication. Admin Console > Security > Access and Data Control > Less Secure Apps
Review third-party app OAuth permissions: See which apps your staff have granted access to your org’s data. Admin Console > Security > API Controls > App Access Control
Disable POP and IMAP access: Unless your org specifically needs it, turn it off. Reduces credential-based attack surface
Subscribe to the Google Workspace Alert Center: Admin Console > Security > Alert Center. Review regularly
Medium‑Effort Changes With Big Payoffs
Let’s move on to the next level of cyber security changes. These steps require some staff communication, but the impact is manageable, and most importantly, and worth it.
4. Control How Data Leaves Your Org
We know that many nonprofits share Google Docs and other files externally to coordinate volunteers, share information across coalitions, and other tasks that are essential to day-to-day operations. We suggest making this one change to tighten security when data leaves your organization to prevent accidental exposure:
Google Drive sharing: Set the default permission to “your organization only.” Staff can still share externally when needed, they just have to be intentional about it
Email auto-forwarding: Disable automatic forwarding to external addresses. This is a common data exfiltration vector
Link sharing defaults: Change from “Anyone with the link” to “Restricted” or “People in your organization”
5. Use Google’s Advanced Protection for High‑Risk Roles
The strongest account security Google offers is free for all Google Workspace users, including the nonprofit plan. Google’s Advanced Protection Program protects against targeted attacks by sophisticated hackers and state-sponsored actors. It’s ideal for:
Executive directors or individuals at the highest levels of leadership
Finance and HR staff
Advocacy and organizing roles
Anyone handling sensitive data which, if exposed, could result in identity theft, impersonation, financial loss, regulatory penalties, or reputational data
It requires passkeys or hardware security keys and blocks high‑risk third‑party apps. If your organization needs hardware security keys, check out Defending Digital Campaigns, which provides free Titan Security Keys to qualifying organizations.
Enrollment is voluntary and cannot be mandated, so buy-in from leadership matters, but the protection is substantial.
6. Delete Data Automatically and Aggressively
Here’s the reality: data that does not exist cannot be seized.
By default, Google retains deleted emails and files indefinitely. Automating data deletion protects organizations against government overreach.
Google Vault allows organizations on Business Plus or higher to set automated retention rules that permanently delete data after a defined period on Gmail, Drive, Chat, Meet recordings, and Voice data. Google Vault requires Google Workspace Business Plus or higher and is not available on the free nonprofit plan.
Important: We strongly recommend being as aggressive as possible; set the shortest retention periods your operations and legal obligations allow. Shorter retention windows mean:
Less data to hand over if served with legal process
Lower long‑term risk
Cleaner, more efficient systems overall
When determining retention periods, we find that nonprofit professionals often feel they need to retain historical records longer than they need to. While it might be nerve-wracking at first to determine when data will be deleted, you may be surprised just how easy it is to acclimate to the new retention rules after they are implemented.
Pair automation with a one‑time cleanup of old shared drives. Many nonprofit professionals are shocked by how much sensitive data they’ve kept “just in case.” You will also be surprised how easy it is to acclimate to new retention windows once they’re in place.
The Hardest (but Strongest Option
For organizations facing serious government surveillance risk and sophisticated attackers, Google Workspace Client-Side Encryption (CSE) is a game‑changer. It is the most powerful tool for protecting data from Google. With CSE,
Data is encrypted in the browser before reaching Google
Google cannot decrypt it, even if legally compelled
Encryption keys are held by an external provider you control
Covers Google Drive, Docs, Sheets, Slides, Calendar, Meet, and Gmail
Needs external key management (e.g., FlowCrypt, a provider based in France)
Needs an identity provider (IdP) that supports OpenID Connect
But this power comes with real trade‑offs that will affect staff directly:
Eliminates real‑time collaborative editing on encrypted files, though multiple users can edit a CSE-encrypted file
No shared inboxes or email aliases
Some file types are blocked as encrypted attachments
Limited mobile support for encrypted Drive files
Requires Google Workspace Enterprise Plus licensing, which is the highest and most expensive tier
Introduces workflow friction staff must be trained on to determine when to encrypt and when not to
CSE requires the highest and most expensive tier of Google Workspace. Because of the cost and collaboration impact, CSE works best when used selectively for an organization’s most sensitive work. It also requires a subscription to a key provider service which increases the cost of this approach.
You don’t have to choose between “do nothing” and “burn it all down.” Nonprofit cyber security works best when we approach it as an intentional reduction of risk, aligned with your organization’s needs and how staff actually work.
What This All Adds Up To: The Happy Middle
When it comes to securing your nonprofit’s Google Workspace against hackers and government overreach, we don’t believe it’s all-or-nothing. We recommend a measured, happy middle approach.
Working through this chart from top to bottom, prioritizing the easy category in the next week and medium category in the next month. These improvements have little to no staff impact, though these infrastructure investments will fundamentally change the organization’s security posture.
Then, think seriously about whether CSE is right for your organization. For some, the impact to staff workflow is worth it. For others, the cost and complexity may not be justified given your specific threat model. The happy middle isn’t one-size-fits-all. It’s about making intentional, informed decisions about what level of protection you need and what trade-offs you’re willing to accept.
