IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

How secure is Gmail?

The practical steps you should take to secure your Gmail account, from implementing 2FA to performing regular checkups

One of the biggest questions in the realm of information security centres on how secure Gmail is, and how much the platform respects user privacy. 

Simply put, Gmail is as secure as the steps you take to secure your Google account, and your awareness of incoming risk, allow. As for privacy, it’s a little more complicated. 

We break down how to secure your Gmail account, and the steps you can take to block email marketing trackers and bolster your privacy as much as possible.

Implementing 2FA

For most, Google account security comes down to ensuring you use a unique and strong password, and whether or not you have two-factor authentication (2FA) in place.

Twitter recently published a transparency report that revealed only 2.3% of active accounts have 2FA enabled, and of those users the vast majority were employing SMS-based 2FA. That's the least secure option, but still better than nothing. Hardly anyone, 0.5%, was using a hardware security key, while under a third (30.9%) of responders used an authenticator app.

Google offers multiple types of 2FA. The first is by voice or text message, which we wouldn’t recommend as it's the easiest option for a cyber criminal to overcome thanks to the relative simplicity of a SIM-swap attack. It’s better than nothing, again, and most people won't enter the threat radar where such an attack is likely anyway.

The second option involves Google prompts being sent to another device you're signed in on. This avoids the SIM-swap vulnerability by requiring an attacker to be in possession of the device. There’s also the use of authentication codes churned out by Google Authenticator. 

We recommend using both: one as your default and the other for those times when that option isn't available to you for whatever reason. You will also get a set of ten-digit single-use codes that you can store somewhere safe as another backup for signing into your account in an emergency.

The final option is the most secure, but can be expensive and more intrusive on the user experience: a security key. These keys are either of the hardware variety, such as a YubiKey or Google's own Titan key, but can also come built into your smartphone. The use of a security key is mandatory if you are enrolled in the Advanced Protection programme at Google, for accounts that are at a greater risk of targeted attack.

Consider how the Google ecosystem wraps multiple aspects of your online life by collecting all kinds of data – email, web, personal assistants, the list goes on – and that means access to your core account is a highly prized target for cyber criminals. 

Access to your Google account gives access to Gmail, which gives access to password resets, which gives access to, well, almost everything.

Perform a security checkup

It's a good idea to perform a security check-up regularly, and Google makes that easy. Just visit the security section under manage your account: security-checkup. This lets you remove account access from non- essential apps. You should also keep your OS, browsers, and apps up-to-date and remove any browser extensions and apps you no longer use.

Related Resource

CIAM buyer’s guide

Finding the right CIAM solution to capture & retain customers, fuel business growth and keep customers safe

Whitepaper cover with title and graphic made up of turquoise and grey pixelated shapesFree Download

What about the privacy issue? There's functionality that’s one of the big draws for users; such as adding delivery confirmation email data to Google Calendar. So, how worried should you be? That depends on your aversion to the collection of such data and the importance of the functionality it enables.

Google will say, rightly, that what it collects is mostly metadata more than anything. What's more, Google will also assure users that, for example, the data found from those automated email scans isn't used for advertising purposes. 

According to Google CEO, Sundar Pichai, "we don't sell your information to anyone, and we don't use information in apps where you primarily store personal content – such as Gmail, Drive, Calendar and Photos – for advertising purposes, period".

Moving to another email provider, such as, may not be the answer you're looking for either, as metadata collection and user activity data are employed almost universally. Sure, there are niche providers that are more privacy-focused, but you lose the type of cross-application functionality that drove you to Gmail in the first place.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Most Popular

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Open source giant Red Hat joins HPE GreenLake ecosystem

Open source giant Red Hat joins HPE GreenLake ecosystem

28 Jun 2022
Carnival hit with $5 million fine over cyber security violations
cyber security

Carnival hit with $5 million fine over cyber security violations

27 Jun 2022