Disable POP/IMAP (if not in use) - We often access our Gmail account through various 3rd party email clients or through our smartphones. To do so, you must enable both POP and IMAP protocol support within your account. There's nothing wrong with doing so, but it can leave a backdoor for a hacker to fetch your emails through different email clients in case he succeeds in cracking your login credentials.
If you're not accessing your Gmail account on your smartphone or through any 3rd party email client, immediately disable both POP and IMAP protocol support through the 'Settings' option. This way you're ensuring that any attempt to access your account through an external mail client (mobile or desktop) is rejected right away. I generally access my account through a web browser and rarely check emails through my smartphone. That's why I've disabled POP but has kept IMAP active for mobile access.
Activate 2-step verification - This is one of my favorite security features present in Gmail. It is based on the principle of dual authentication where the user has to pass through two verification layers to gain access to the account. The first one is obviously the regular login credentials provided by the user every time he logs in. But, the second security layer asks for an authentication code that must be entered correctly to gain access to the account.
This security code is generated instantly as the first level (regular login) is crossed by the user and is immediately sent to the user's mobile phone through SMS. In other words, once you've activated this feature, a hacker not only has to steal your password but he must also take possession of your mobile phone. So, even if your password is leaked to someone else, one cannot penetrate into your account till your mobile phone is in your pocket. You can easily activate this feature through your Google account security settings.
Use application-specific passwords - This is yet another important security feature that is closely associated with 2-step verification procedure. There are several applications (e.g. 3rd party mail clients, IM clients) that don't support 2-step verification. To use your Gmail account with these applications you need a mechanism where the second authentication layer is not needed.
But, if we use our regular login credentials in the absence of the second layer, the whole purpose of 2-step verification is defeated. To solve this problem, Google lets you create application-specific passwords for each external application that doesn't support 2-step verification. This way, although the second authentication layer is absent, still one can only gain access to the account through a special application-specific password.
Keep an eye on account activity - Gmail provides an excellent feature that lets you monitor recent account activity. You can access this feature from 'Details' link on the bottom right side of your inbox. This will present you with a popup box with all the details of the recent account activity. These details include the device or client from which the account was accessed, IP address & location and the time when account access was in progress.
Apart from manually inspecting these details to pick any suspicious activity, you can also activate the alert feature that will prompt you with a warning message as soon as any suspicious login activity is detected by the Gmail system. Although you cannot rely completely on the automated alert system, inspecting these account activity details on the daily basis certainly makes your account more secure. Remember, sometimes while accessing your Gmail account on your smartphone through IMAP, the IP address reported in the activity details is that of the phone mail server fetching the mail on your behalf.
Use secure hypertext transfer protocol - And last but not the least is the important feature enabling encryption of the entire email traffic from your browser up to the server end. You can activate it easily from the settings menu. Activating this option ensures that wherever possible Gmail will use the 'https' protocol to encrypt the data before sending it to the server.
If you're accessing your account from a client or device that doesn't support this feature then you may risk keeping your email data open for packet sniffers. That's why I always prefer to access my Gmail account through the regular interface from my favorite browser.