Zero trust is a security approach built on one principle: never trust anything automatically, always verify. Every user, device, and application must prove who they are and what they are allowed to access before being let in, every single time. There is no ‘inside the network means you are safe.’
For years, zero trust was treated as an enterprise concept requiring dedicated security teams and six-figure budgets. That has changed. The tools most SMEs already use, particularly Microsoft 365, now include zero trust controls that can be switched on without buying anything new. If you have 10 to 50 people and you use cloud services, zero trust is not only relevant to your business; some of it is probably already within reach.
Why the Old Approach No Longer Works
Traditional security worked like a castle with a moat. Build a strong perimeter (firewall, VPN) and trust everything inside it. Once you were past the drawbridge, you could go anywhere.
That model breaks down the moment your staff work from home, use personal phones, access cloud applications or share files externally. The perimeter no longer exists in any meaningful sense. Your data is everywhere: in Microsoft 365, on laptops in coffee shops, in shared folders accessible from any browser.
Attackers know this. Phishing steals a set of credentials, and once inside, there is nothing stopping lateral movement across email, SharePoint, OneDrive and anything else that login has access to. The castle-and-moat model offers no protection once someone is through the door.
Consider a common scenario: A staff member clicks a convincing phishing link and enters their Microsoft 365 password. Without zero trust controls, the attacker now has the same access as that employee: email, shared files, client data, internal Teams channels. If that person happens to have admin rights, the attacker has those too. In a zero trust environment, the stolen password alone is not enough. MFA blocks the login attempt. Conditional access flags the unfamiliar device or location. Even if the attacker gets past those layers, least-privilege access means they reach only what that specific role requires, not the entire business.
Zero Trust Principles
Strip away the frameworks and the jargon, and zero trust comes down to three things.
Verify every access request
Do not assume that because someone logged in this morning, they should still have access this afternoon. Instead, check who they are, what device they are using, where they are connecting from, and whether the access request makes sense.
This is where multi-factor authentication becomes essential, but it goes beyond MFA into conditional access policies that evaluate context with every request.
Give people only what they need
This is least-privilege access. For example, if someone in marketing does not need access to the finance folder, they should not have it. Likewise, if an employee leaves or changes role, their permissions should be updated immediately rather than left open indefinitely. Most businesses discover they have far more shared access than they realised when they actually audit it.
Assume a breach has already happened
Design your systems as though an attacker is already inside. Segment access so that compromising one account does not hand over everything. Monitor for unusual behaviour, like a user logging in from two countries within an hour, or downloading thousands of files at midnight. This aligns with identity-based threat detection.
Practical Steps for a Small Business
You do not need a dedicated security operations centre to start applying zero trust. Here is where most SMEs should begin.
Turn on conditional access in Microsoft 365
If you have Microsoft 365 Business Premium, you already have the tools. Set up policies that require MFA, block sign-ins from risky locations, and ensure devices meet basic compliance standards before granting access.
Audit your permissions
Check who has access to what across SharePoint, OneDrive, Teams and any other shared systems. Remove access people no longer need. Set shared folders to restricted rather than open by default.
Use separate admin accounts
Anyone with administrative privileges should have a separate admin account that they only use for admin tasks. Day-to-day work should happen on a standard account. This limits the damage if a credential is compromised.
Enable security defaults or conditional access policies
Microsoft’s security defaults provide a baseline of zero trust controls at no extra cost. For more granular control, conditional access policies let you define specific rules based on user, device, location and risk level.
Review access regularly
Zero trust is not a one-time project. Schedule quarterly reviews of user permissions, admin accounts and access policies. When someone changes role or leaves the business, update their access on the same day.
Require device compliance before granting access
If you use Microsoft Intune (included with Business Premium), you can set policies that only allow access from devices that meet your security standards, such as having an up-to-date operating system, active antivirus and disk encryption enabled. A personal laptop that has not been patched in six months should not have the same access as a managed company device.
Segment your network
At a basic level, this means keeping your guest Wi-Fi separate from your business network. Visitors and personal devices should not sit on the same network as your servers, printers and business systems. Most modern routers support this, and it is one of the simplest ways to limit what an attacker can reach if they gain access through a less secure device.
How Zero Trust Relates to Cyber Essentials
If your business holds or is working toward Cyber Essentials certification, you are already aligned with some zero trust principles. Cyber Essentials requires access control, secure configuration and malware protection, all of which overlap with the zero trust model. Zero trust builds on that foundation. Where Cyber Essentials provides a baseline, zero trust extends it with continuous verification, conditional access and the assumption that no network location is inherently safe. The two work together, not in competition.
Getting Started Without a Security Team
Zero trust is a direction, not a destination. You do not need to implement everything at once. Start with MFA and conditional access. Audit your permissions. Enable basic monitoring. Each step reduces your attack surface. If you want help applying zero trust principles to your managed IT environment, speak to The Unite Group. We will review your current setup, identify the quick wins and build a practical roadmap that fits your business, not an enterprise framework.