If you’ve attended any cybersecurity conference, read any security vendor’s blog, or talked to any IT consultant in the past three years, you’ve heard about zero trust. “Never trust, always verify” is the mantra. Every access request is authenticated and authorised regardless of where it originates. No implicit trust based on network location.

The concept is sound. But the way it’s being marketed — as something every business needs to implement immediately — ignores the practical reality of small business IT environments. Let’s look at what zero trust actually means, what it costs, and whether it makes sense for businesses that aren’t running enterprise-scale infrastructure.

What Zero Trust Actually Means

Traditional network security works like a castle with a moat. There’s a perimeter (firewall), and everything inside the perimeter is trusted. Once you’re “inside” the network, you can access most resources freely.

Zero trust eliminates the concept of a trusted perimeter. Every user, device, and application must authenticate and be authorised for every access request. A user on the corporate WiFi is treated the same as a user connecting from a coffee shop. Internal network traffic is scrutinised the same as external traffic.

The core principles, as defined by NIST’s Zero Trust Architecture framework (SP 800-207), include:

• All data sources and computing services are considered resources
• All communication is secured regardless of network location
• Access to individual resources is granted on a per-session basis
• Access is determined by dynamic policy based on client identity, application, and the requesting asset’s state
• The enterprise monitors and measures the security posture of all owned and associated assets
• All authentication and authorisation are dynamic and strictly enforced before access is allowed

In practice, this means identity-centric access controls, micro-segmentation of networks, continuous verification, least-privilege access, and extensive monitoring.

What Enterprise Zero Trust Looks Like

Large organisations implementing zero trust typically deploy:

• Identity providers with strong MFA (Okta, Azure AD, Google Workspace)
• Endpoint detection and response (EDR) on all devices
• Network micro-segmentation using software-defined networking
• Zero trust network access (ZTNA) replacing traditional VPN
• Cloud access security brokers (CASBs) for SaaS application control
• Security information and event management (SIEM) for monitoring
• Device health verification before granting access

The implementation timeline is typically 18-36 months. The cost runs into hundreds of thousands or millions of dollars depending on organisation size. Dedicated security teams manage the ongoing operation.

The Small Business Reality

Now consider a 20-person business. Maybe a professional services firm, a small manufacturer, or a local retailer with an online presence.

Their IT environment typically includes:

• A cloud-hosted email and productivity suite (Microsoft 365 or Google Workspace)
• A few SaaS applications (accounting, CRM, maybe project management)
• A handful of laptops and possibly a shared file server or NAS
• Consumer or small business-grade networking equipment
• No dedicated IT security staff (maybe a part-time IT person or an MSP)

The full enterprise zero trust stack is completely impractical here. The cost is disproportionate to the business size, the complexity exceeds available expertise, and the management overhead would consume more resources than the security benefits justify.

But that doesn’t mean zero trust principles are irrelevant. Some elements of zero trust thinking are both practical and valuable for small businesses.

What Small Businesses Should Actually Do

Instead of trying to implement a full zero trust architecture, small businesses should adopt specific zero trust principles that provide the most security value for the least complexity.

Strong identity management. This is the single most impactful zero trust principle for small businesses. Use a cloud identity provider (built into Microsoft 365 or Google Workspace) with strong MFA for all users. Enforce unique passwords through a password manager. Disable shared accounts. This alone prevents the majority of account-based attacks.

Conditional access policies. Both Microsoft 365 and Google Workspace support conditional access rules — require MFA from unknown locations, block access from unmanaged devices, require device compliance checks. These are zero trust concepts implemented through tools you’re likely already paying for.

Least privilege access. Don’t give everyone admin access to everything. The receptionist doesn’t need the same file access as the finance manager. The marketing person doesn’t need admin access to the CRM. Role-based access controls are available in most modern SaaS applications. Configure them properly.

Device security baselines. Require encryption on all laptops, keep operating systems updated, run endpoint protection software. If a device doesn’t meet security requirements, it shouldn’t access company resources. Microsoft Intune (included in some Microsoft 365 plans) can enforce this automatically, even for small businesses.

Secure remote access. If employees work remotely, use ZTNA-style access rather than a traditional VPN that grants access to the entire network. Tools like Cloudflare Access, Twingate, and Tailscale provide zero trust-inspired remote access at price points that work for small businesses.

Monitoring (at a basic level). You don’t need a SIEM. But you should have audit logging enabled on your critical systems (email, cloud storage, financial applications) and someone who reviews those logs periodically. At minimum, set up alerts for unusual sign-in activity — sign-ins from new countries, multiple failed attempts, or successful logins at unusual hours.

The Cost-Benefit Calculation

A small business implementing the pragmatic approach above might spend:

• MFA and conditional access: included in Microsoft 365 Business Premium (~$33/user/month) or similar
• ZTNA remote access: $5-$15/user/month depending on the tool
• Endpoint protection: $3-$8/user/month
• Password manager: $4-$8/user/month

For a 20-person business, that’s roughly $900-$1,280 per month total for a meaningful security uplift. That’s a fraction of the cost of a full zero trust implementation, and it addresses the threats most likely to affect a small business.

Compare this to the average cost of a data breach for an Australian SMB — which the ACSC estimates at $46,000 for a small business and up to $97,000 for a medium business. The security investment pays for itself if it prevents even one incident over several years.

When to Bring in Help

If your business handles sensitive data — healthcare records, financial information, legal documents — or operates in a regulated industry, the basic approach above might not be sufficient. You may need a more comprehensive security assessment and potentially a more structured zero trust implementation.

This is where working with security-focused consultants makes sense. The team at Team400 can help evaluate your specific risk profile and design an approach that’s proportionate to your actual threats and regulatory requirements, rather than applying an enterprise-grade framework to a small business environment.

The key is proportionality. A small business doesn’t need the same security controls as a bank. But it does need more than an antivirus subscription and a shared WiFi password.

The Honest Assessment

Full zero trust architecture is not right for most small businesses. The concept was designed for large, complex environments with dedicated security teams and significant budgets.

But zero trust principles — verify identity, enforce least privilege, don’t trust the network, monitor access — are universally valuable. The question for small businesses isn’t whether to adopt zero trust. It’s which elements of zero trust provide the most protection for the least complexity and cost.

Start with identity and access management. Add conditional access and endpoint security. Implement ZTNA for remote access if your team works outside the office. These three steps will dramatically improve your security posture without requiring enterprise-grade infrastructure or budget.

Zero trust isn’t an all-or-nothing proposition. It’s a spectrum. Small businesses should be on that spectrum — just not necessarily at the enterprise end of it.