3. Set up Two-Step Verification
This is the most important step in Google's Security Checklist. an extra layer of security to your Google account by requiring a special code to be entered on trusted computers once every 30 days, and any time you are accessing the account from a non-trusted computer. But this doesn't happen by default; you have to set it up with Google first.
I'll add that printing your backup verification codes is more secure than saving them to a text file. If you do choose to save them to a text file, don't name it "Backup Google Codes" or something similar.
While with Google is self-explanatory, this video from Google helps it make a lot more sense.
4. Require Google Accounts Used For Business to Be Secure