Zero Trust for SMBs: What It Actually Means

The old model is broken

For most of the 2000s and early 2010s, network security was built on a simple idea: the corporate network is trusted, everything outside it is not. VPNs, firewalls, and perimeter defences enforced this boundary. If you were inside the network — physically or via VPN — you were assumed to be legitimate.

That model made sense when everyone worked at their desk, servers lived in a cupboard, and your data never left the building. None of those things are true anymore.

Your staff work from home, hotels, and cafes. Your data lives in Microsoft 365, Google Workspace, Xero, or a dozen other SaaS platforms you don't control. Your "network" now includes every device your staff use, on every network they connect from. The perimeter is gone.

This is why Zero Trust exists. It's not a product — it's a philosophy, and it has one core principle:

Never trust, always verify. Every access request must be authenticated and authorised, regardless of where it originates.

In practice, this means you stop assuming that someone on the corporate network is legitimate just because they got through the front door. You verify identity and authorise access for every request, every time.

What Zero Trust looks like in practice

Vendors love to sell Zero Trust as a platform you buy. In reality, it's a set of principles you implement over time. Here's what it actually involves:

1. Strong identity verification (MFA, everywhere)

This is the single most impactful thing you can do. Multi-factor authentication on every account — email, VPN, line-of-business apps, admin consoles — eliminates a huge percentage of credential-based attacks.

In 2026, there is no legitimate excuse for not having MFA on Microsoft 365 or Google Workspace. Enable it. Enforce it. No exceptions for the boss.

2. Least privilege access

Who actually needs admin rights? Probably not as many people as currently have them. Audit your user accounts and ask: does this person need this level of access to do their job? Apply the principle of least privilege — grant only the access required, nothing more.

This includes service accounts. If your backup software runs as a domain admin because "it was easier to set up that way," that's a ticking clock.

3. Network segmentation

Your corporate workstations, your IoT devices (cameras, printers, smart TVs), and your guest WiFi should not all be on the same network segment. If a ransomware infection hits one device, segmentation is what stops it from spreading laterally to everything else.

This doesn't require enterprise gear. Most decent SMB-grade firewalls (Sophos, Fortinet, pfSense, OPNsense) support VLAN-based segmentation. Your IT person can have this set up in a day.

4. Device trust

Zero Trust asks: is the device that's authenticating actually managed and healthy? A user with valid credentials on an unmanaged personal laptop that hasn't been patched in six months is still a risk.

For SMBs, basic device hygiene covers a lot of ground: endpoint management (Intune, Jamf), enforced disk encryption, and automatic OS updates. You don't need sophisticated device attestation to get most of the benefit.

5. Application-level access, not network-level access

Traditional VPNs give users access to the whole network. Application-aware proxies give users access only to specific applications. Tools like Cloudflare Access, Tailscale, or Zscaler let you expose individual apps without exposing the whole network.

Cloudflare Access has a generous free tier (up to 50 users). For many SMBs this is a better answer than running a traditional VPN.

What not to do

Don't buy a "Zero Trust Platform" because a vendor told you that you need one. Many of these products are genuine and useful — at scale. For an SMB with 30 users, the platform you already pay for (Microsoft 365 Business Premium, for example) already includes most of what you need.

Microsoft 365 Business Premium includes:

• Conditional Access policies (enforce MFA, device compliance checks)
• Microsoft Defender for Business (endpoint protection)
• Intune (device management)
• Azure AD Identity Protection

That's a solid Zero Trust foundation already included in a licence you may already be paying for. Configure it before you spend money on something new.

A practical starting point

If you want to start implementing Zero Trust principles today, without buying anything, here's an ordered list:

1. Enable and enforce MFA on all cloud accounts, including admin accounts.
2. Audit privileged accounts. Remove admin rights from anyone who doesn't need them.
3. Segment your network. At minimum, separate IoT and guest WiFi from corporate devices.
4. Enable disk encryption on all endpoints (BitLocker, FileVault, or LUKS).
5. Review your conditional access policies in M365 or Google Workspace.
6. Audit which SaaS apps staff use and ensure they all require corporate SSO where possible.

None of these steps require a purchase. Most can be done with tools you already own. A Zero Trust journey starts with configuration, not procurement.

The bottom line

Zero Trust isn't a product, a vendor, or a one-time project. It's a way of thinking about access and trust that acknowledges the modern reality: your network has no meaningful perimeter, and identity is your new security boundary.

For SMBs, the priority is clear: get MFA enforced, get least privilege implemented, and get your devices managed. The rest follows from there. You don't need an enterprise budget to dramatically improve your security posture — you need discipline and a methodical approach.

After 25 years of helping businesses recover from security incidents, we can tell you: the organisations that get breached almost always have a few things in common. Weak passwords or no MFA. Accounts with more access than they needed. No network segmentation. These are not exotic failures — they're preventable ones.

Have questions about implementing Zero Trust in your organisation? Drop us a line at info@corenetworks.com.au.