Axia Computer Systems Ltd

Cyber Security

Zero trust for SMEs: cutting through the vendor marketing

Zero trust is the most over-marketed idea in cyber security right now and also the most genuinely useful. Here is the plain-English version for an SME that does not have a CISO, the controls that pay for themselves first, and the ones you can safely ignore until next year.

Cyber SecurityBy Axia Computer Systems Ltd
FortinetZero TrustNetwork Security
Zero trust for SMEs: cutting through the vendor marketing

Every security vendor in 2026 has "zero trust" on the homepage. Most of what they are selling is sensible networking technology that has been rebranded for a buzzword. Underneath the marketing though, zero trust as a way of thinking is genuinely useful — and most SMEs are already doing half of it without realising. The point of this article is to cut through the noise and tell you which of the controls are worth doing now, which can wait, and which are honestly just expensive wallpaper.

Zero trust in one sentence

Stop trusting the network. Trust the identity, the device, the application and the context of every request — and verify them on every attempt, not just at sign-in. That is the whole idea. Everything a vendor sells under the zero trust label is some combination of those four checks applied to a specific part of the environment.

The five controls worth doing first

  • Multi-factor authentication on every account, enforced — not optional, not just for admins, but every human and every account that touches production data.
  • Conditional access: challenge sign-ins from unmanaged devices, unusual geographies or impossible travel patterns; block legacy authentication outright.
  • Device compliance as a hard gate: only Intune- or equivalent-managed devices that meet the patch, encryption and endpoint protection bar can access company data.
  • Network segmentation: stop trusting the corporate Wi-Fi as if it were the company. Segment by function and restrict east-west traffic between segments with explicit allow lists.
  • Application-level access controls: prefer SaaS apps that support per-app conditional access over VPN tunnels into the corporate network.

The controls you can safely defer

A full microsegmentation project, a next-generation access broker for every legacy line-of-business app, a software-defined perimeter overlay — these are real zero trust building blocks but they are also large projects. For an SME without a security team, the right sequencing is: do the low-cost identity and device controls above well, then look at the bigger network and application-layer work when there is budget and a clear scope. None of the enterprise-grade zero trust architecture matters if the basics are not enforced.

What zero trust typically saves you

For SMEs that genuinely implement the five controls above, the practical benefits are concrete: simpler offboarding (revoke the identity and access follows), cleaner BYOD policy (managed apps only on personal devices, no corporate data ever stored locally), removal of the need for a traditional VPN in most cases, and a much better answer to the cyber-insurance questionnaire. The controls also produce real telemetry — sign-in risk, device compliance, conditional-access denials — that you can use to investigate incidents without paying for a separate SIEM.

We help SMEs across Hertfordshire, Bedfordshire and London design and deploy zero trust in a staged, right-sized way. If you would like a one-hour session to look at where you are now and what the realistic next six months look like, get in touch.

More from Cyber Security

Ready to talk?

Discuss your IT requirements with our team. Call 01923 333111 or send us a message.

Authorised trading partners