The old model: trust the network

Traditional security assumed that anything inside the office network was safe, and anything outside it was not. You built a strong perimeter (firewall, VPN) and trusted whatever got past it. That assumption breaks down once staff work from home, data lives in the cloud, and phones and laptops move between networks all day.

The Zero Trust idea, in one sentence

Never trust automatically, based on network location — always verify, every time, for every request. A request from inside the office is checked the same way as one from a coffee shop. Identity and device health matter more than which network you're on.

The core principles

  • Verify explicitly. Authenticate and authorize based on all available signals — user, device, location, and data sensitivity — not just a password.
  • Use least privilege. Give people and systems only the access they need, for as long as they need it.
  • Assume breach. Design as if an attacker is already somewhere in the network, and limit how far they could move.

What this looks like in practice for an SME

  • MFA everywhere — email, VPN, admin panels, cloud apps. Not just for admins.
  • Device checks — require devices to be patched and have security software before they can reach sensitive systems.
  • Segmented networks — staff, guest Wi-Fi, and critical systems (like payment processing) don't share a flat network.
  • Least-privilege access — review who has admin rights and access to sensitive folders; remove what isn't needed.
  • Conditional access — if your identity provider (e.g. Microsoft 365) supports it, block risky sign-ins (new country, impossible travel, unmanaged device).
  • Logging — keep enough logs to reconstruct what happened if something goes wrong.

You don't need to buy a "Zero Trust product." It's a set of principles you apply to what you already have — most SMEs can meaningfully move toward Zero Trust using settings already included in Microsoft 365, their firewall, and their identity provider.

Where to start

Start with identity: enforce MFA everywhere, and review who has standing admin access. Then look at network segmentation and device health. You don't need to do everything at once — each step reduces real risk on its own.

Not sure how exposed you are today?

A security assessment maps your current access model against these principles and gives you a realistic, prioritized path forward.

Request a Security Assessment Back to blog