What 'Zero Trust' Actually Means for a 15-Person Office
21 April 2026
"Zero Trust" sounds like something from a spy film. In cybersecurity marketing, it's used to sell everything from firewalls to identity platforms to consultancy retainers. It's become one of those terms that means everything and nothing at the same time.
But the actual idea behind Zero Trust is simple, practical, and relevant to every business — including a 15-person office that just uses Microsoft 365 and a few laptops.
The Three Principles
Strip away the jargon and Zero Trust comes down to three things.
1. Verify everyone, every time. Don't assume that because someone logged in this morning, they're still who they say they are this afternoon. Don't assume that because a device is in the office, it's safe. Every access request gets checked.
2. Give people only the access they need. The receptionist doesn't need access to the finance folder. The freelancer doesn't need admin rights. Everyone gets exactly what they need for their job — nothing more.
3. Assume something will go wrong. Build your setup so that when — not if — a password gets stolen or a device gets compromised, the damage is contained. One breached account shouldn't give an attacker the keys to everything.
What This Looks Like in Practice
For a small business running Microsoft 365, applying Zero Trust doesn't require expensive products or a dedicated security team. It looks like this:
- Multi-factor authentication on every account. Not just the admin. Everyone. If someone steals a password, they still can't get in without the second factor.
- Conditional Access policies. These let you set rules: "Only allow sign-ins from the UK," "Block legacy authentication," "Require a managed device for accessing company data." These are built into Microsoft 365 — you're already paying for them.
- Least-privilege access. Review who has admin rights. In most small businesses, far too many people have Global Admin. Reduce it to the minimum. Same for shared drives — not everyone needs access to everything.
- Device management. Enrol devices in Intune so they're managed, encrypted, and can be remotely wiped if lost. An unmanaged personal laptop accessing your company data is a risk you don't need.
- Session controls. Set sign-in sessions to expire. Require re-authentication for sensitive actions. Don't let a stolen session token give someone permanent access.
What It Isn't
Zero Trust is not a product you buy. It's not a firewall, a VPN, or a piece of software. It's a way of thinking about access and security that applies regardless of your tools.
You don't need to implement every aspect at once. Start with MFA. Then Conditional Access. Then device management. Each step makes you significantly more secure than you were before.
For a deeper explanation of why people remain the biggest factor in all this, see why your team is your biggest security risk.
The point isn't perfection. The point is that "everyone has the same password and admin access" is not a sustainable security model — and there are straightforward steps to move away from it. Our cybersecurity team can help you implement this in stages without disrupting how your office already works.
Want to talk about this?
Book a free 15-minute call and we'll discuss how this applies to your business.
Book a Free CallGet IT tips in your inbox
Practical advice for small businesses. No spam.
