- Zero trust means "never trust, always verify" — stop assuming anything inside your network perimeter is safe
- Small teams face the same attack vectors as enterprises but have fewer resources to absorb a breach
- The 5 pillars are: identity, device, network, application, and data — address them in that order
- A 20-person regulated team can implement a solid zero trust baseline in 4 weeks for $800–$1,400/month total
- MFA + SSO + least-privilege RBAC addresses 80% of real-world attack vectors immediately, before anything else
What zero trust actually means (cutting through the marketing)
Zero trust has become one of the most misused terms in enterprise software marketing. Vendors slap the label on anything from VPNs to endpoint agents to email filters, which makes it nearly impossible to understand what you actually need to implement. Let's reset with the plain-language definition.
Zero trust is a security model based on a single principle: no user, device, or network connection is trusted by default, regardless of where it comes from.
Traditional perimeter security says: "If you're inside the office network, you're trusted." Zero trust says: "It doesn't matter where you are. Every access request must be verified, and every user and device gets only the minimum access required for the task at hand."
The model was formalised by NIST in Special Publication 800-207, published in 2020. It identifies five components that must be addressed for a complete zero trust architecture: identity, device, network, application, and data. These are the five pillars this guide is built around.
Zero trust is not a single product you can buy. It is an architecture you implement progressively using a combination of tools and policies. A small team reaching 80% of the zero trust posture is vastly better protected than the same team with a legacy VPN and no MFA. Perfect is the enemy of good — especially for teams without a dedicated security engineer.
What zero trust is not: It is not a VPN. It is not a firewall. It is not a single-vendor solution you can buy and deploy in a weekend. Any vendor telling you that their product alone makes you "zero trust compliant" is selling you marketing copy, not security.
Why small regulated teams need zero trust more than enterprises
Counter-intuitive as it sounds, small regulated teams have more to lose from a breach than most enterprises — and less capacity to recover. Here is why:
You hold high-value, high-sensitivity data
A 20-person law firm holds client confidential information, financial records, personal data under GDPR, and potentially material non-public information. A 15-person accounting practice holds years of client tax data for every individual and business they service. A small financial advisory firm holds banking details, investment positions, and identity documents. This is exactly the data ransomware operators and identity thieves target most aggressively.
Perimeter security no longer exists for you
Small regulated teams in 2026 are almost entirely SaaS-based. Your data lives in Microsoft 365 or Google Workspace, your CRM is cloud-hosted, your document storage is cloud-hosted, your communications are cloud-hosted. There is no "inside the perimeter" anymore. The castle-and-moat model — protect the boundary and trust everything inside — does not apply to an organisation where there is no physical boundary to protect.
You cannot absorb a breach the way an enterprise can
A large enterprise suffering a breach has cyber insurance, an incident response retainer, a dedicated legal team, and the financial reserves to survive weeks of remediation. A 20-person firm typically has none of these at scale. A serious breach — data exfiltration, ransomware, credential compromise leading to client fund theft — is existential. The regulatory consequences alone (ICO fines, SRA notifications, FCA reporting obligations) can be catastrophic.
Insider risk is proportionally higher
In a small team, every person has disproportionate access. The office manager who has admin credentials to every system "because it's easier that way." The departing associate whose accounts were not deprovisioned promptly. The contractor who was given the same access level as a full-time employee. These are the actual threat vectors that compromise small firms — not sophisticated nation-state attacks.
The most common breach vector for small professional services firms is not hacking. It is credential compromise through phishing, followed by an attacker moving laterally through systems that have no access controls. Zero trust is specifically designed to limit the blast radius when this happens.
The 5 pillars for small teams
Here is the framework. Each pillar addresses a different attack surface. Implement them in order — identity first, because it underpins everything else.
Who is trying to access what? MFA, SSO, and least-privilege RBAC are the foundation of zero trust.
Is the device accessing your data managed and healthy? Unmanaged personal devices are the largest uncontrolled risk for most small teams.
How does traffic reach your applications? ZTNA replaces the VPN model with per-application, per-session access grants.
What SaaS tools are in use and what access have you granted them? Shadow IT and over-permissioned OAuth tokens are the gaps attackers exploit.
Where does your sensitive data live, who can access it, and is it encrypted at rest and in transit? Data classification drives your protection decisions.
Pillar 1: Identity — MFA everywhere, SSO, least-privilege RBAC
Identity is the new perimeter. If you get one thing right in this guide, make it identity. An attacker with valid credentials and no MFA in the way can access everything that account has permissions to — and in most small firms, that is most things.
Multi-factor authentication (MFA)
MFA must be mandatory for every account that accesses business data. No exceptions for senior partners who find it inconvenient. No exceptions for the admin account because "it's only used internally." No exceptions. Microsoft's own security data shows that MFA blocks over 99% of automated credential attacks. It is the single highest-return security control available.
For small teams, the implementation is straightforward:
- Enable MFA in Microsoft 365 or Google Workspace at the tenant level (not user-optional)
- Use an authenticator app (Microsoft Authenticator, Google Authenticator, or Authy) — SMS-based MFA is better than nothing but vulnerable to SIM-swapping
- Enforce MFA for all third-party SaaS applications via your identity provider
- Require MFA at every login, not just the first sign-in from a new device
Single Sign-On (SSO)
SSO solves two problems simultaneously: it makes MFA enforcement practical (users authenticate once through a single identity provider, and that MFA extends to all connected apps), and it gives you a single place to manage and revoke access when someone leaves. When an employee departs without SSO, you have to manually disable their account in every application they ever accessed. With SSO, you disable one account and access is revoked everywhere.
For small teams, Microsoft Entra ID (formerly Azure AD) or Google Workspace's built-in identity provider is typically sufficient. For teams that need SSO across a wider range of applications, Okta Workforce Identity or JumpCloud are purpose-built for small businesses at reasonable cost.
Least-privilege RBAC
Role-based access control means every user has exactly the permissions required for their role — not admin access because it was easier to set up, not broad read access to all client files because "they might need it." Every permission that is not required is an attack surface.
The practical implementation for a small firm:
- Define three to five roles that reflect how people actually work — for example: Admin, Fee Earner, Paralegal, Finance, External Advisor
- Assign permissions to roles, not individuals (so when a person changes role, you change their role assignment, not fifty individual permissions)
- Audit role assignments quarterly — are there people with admin access who no longer need it? Are there ex-employees whose accounts were not fully deprovisioned?
- Remove admin rights from all accounts that do not specifically require them — most users at most firms never need admin access to their identity provider or document management system
Pillar 2: Device — managed vs unmanaged, MDM basics
Zero trust requires that the device making an access request is known, managed, and in a healthy state. An unmanaged personal laptop connecting to your client data is a black box — you do not know if it has malware, whether the OS is patched, or whether the disk is encrypted. Your identity controls mean nothing if the device accessing your systems is already compromised.
The managed vs unmanaged distinction
A managed device is one enrolled in your mobile device management (MDM) system. You can enforce security policies on it: require disk encryption, enforce OS updates, require a screen lock, remotely wipe it if it is lost or stolen. An unmanaged device is a personal phone or laptop that your employee uses to access work systems with no policy enforcement.
For small regulated teams, the minimum viable device policy is:
- Company-owned devices: Must be enrolled in MDM. No exceptions.
- Employee-owned devices (BYOD): Must meet a defined minimum security standard (current OS, disk encryption, screen lock) to access business data. Consider using a containerised work profile (Microsoft Intune app protection policies, or Google endpoint verification) to separate work and personal data.
- Contractor and external advisor devices: Should access data through a secure portal only — never through direct network access.
MDM options for small teams
If you are already using Microsoft 365 Business Premium, Microsoft Intune is included. For Google Workspace users, Google endpoint management provides basic device management at no additional cost. For Apple-heavy shops, Apple Business Manager plus Jamf Now (at $4/device/month) is well-suited to teams under 50. JumpCloud MDM is a strong option if you need cross-platform management in a single console.
The minimum MDM policies to enforce from day one:
- Disk encryption required (BitLocker on Windows, FileVault on macOS)
- OS updates must be applied within 14 days of release
- Screen lock after 5 minutes idle
- Remote wipe capability enabled
- Compliance status checked at every application sign-in
Pillar 3: Network — VPN vs ZTNA, micro-segmentation for SaaS teams
Traditional VPNs grant network-level access — once connected, a user (or an attacker using stolen credentials) can reach everything on the network. Zero trust network access (ZTNA) replaces this with application-level access: you grant access to a specific application for a specific session based on verified identity and device health, not to a broad network.
Should small teams replace their VPN?
If your team is fully SaaS-based and has no on-premises servers or legacy applications, you probably do not need a VPN at all. You need conditional access policies that enforce who can access your SaaS applications from where, with what device, under what conditions. This is entirely achievable through your identity provider without a VPN.
If you have any on-premises resources — a file server, a line-of-business application, a legacy system — you need secure remote access to them. In this case, replace a traditional VPN with a ZTNA solution. The practical options for small teams:
- Cloudflare Access (Zero Trust plan): Free for up to 50 users. Protects any internal application by putting Cloudflare's identity proxy in front of it. Requires no inbound firewall rules — just a lightweight Cloudflare Tunnel connector on your server. Excellent value for small teams.
- Tailscale: Peer-to-peer mesh VPN with a zero trust posture. Free for teams under 3 users, $6/user/month above that. Simple to deploy, strong for teams that need device-to-device connectivity.
- Zscaler Private Access: Enterprise-grade ZTNA. Overkill for most teams under 50, but the right choice if you need granular application-level policy at scale.
Conditional access policies
Even without replacing your VPN, conditional access policies on your identity provider deliver significant zero trust benefit. Typical policies for small regulated teams:
- Block access from countries where you have no legitimate business activity
- Require MFA for all access, not just initial sign-in
- Require compliant device status for access to sensitive data (enforced via MDM enrollment check)
- Block legacy authentication protocols (basic auth) that bypass MFA entirely
- Require re-authentication after 8 hours for high-sensitivity applications
Pillar 4: Application — SaaS security posture, OAuth review
Your application perimeter is the collection of SaaS tools your team uses, the permissions those tools have, and the OAuth integrations connecting them. Most small teams have a far larger application attack surface than they realise because they have never audited what their employees have authorised.
Shadow IT
Shadow IT — applications used by employees without IT visibility or approval — is endemic in small professional services firms. Someone signs up for a new project management tool, connects it to Google Workspace to import contacts, and you now have a third-party application with access to all your email contacts. This is not hypothetical; it is the default behaviour of most productivity tools.
Run an OAuth audit on your identity provider right now. In Google Workspace: Admin Console → Security → API Controls → Third-party apps. In Microsoft Entra: Enterprise Applications → All Applications. You will almost certainly find applications with permissions you did not knowingly grant. Revoke any application that is no longer in use, and restrict any application with broader permissions than its purpose requires.
Practical rule: No application should have access to "all files" or "all email" unless there is a specific, documented business requirement. Applications that request broad permissions when narrow permissions would suffice are a red flag. Review carefully before authorising.
SaaS security posture management
For teams with 10+ SaaS applications, a lightweight SaaS security posture management (SSPM) tool can automate the audit process. Options accessible to small teams include Nudge Security (designed specifically for small teams, free tier available) and DoControl. These tools continuously monitor your SaaS estate, flag over-permissioned connections, and identify users who have authorised risky applications.
Application access control
Every business application should have its own access control review, not just rely on your identity provider:
- Who has admin rights in your CRM? Does every admin actually need admin rights?
- Who has access to your document vault or file storage? Are ex-employees still listed?
- Are guest users in your collaboration tools scoped to the specific projects they need?
- Do your client portal users have access only to their own files, or can they see other clients' data?
Pillar 5: Data — classification, encryption, DLP basics
The data pillar is where zero trust connects directly to your regulatory obligations. GDPR, the SRA's data protection rules, FCA data security requirements — all of them ultimately care about the same thing: that you know where your sensitive data is, who can access it, and that you have proportionate controls to prevent unauthorised access or exfiltration.
Data classification
You cannot protect data you have not categorised. Data classification for a small regulated team does not need to be a six-month project. A simple three-tier scheme works for most firms:
- Restricted: Client confidential data, legal advice, financial records, personal data. Access requires authentication, encryption, and audit logging. Never stored on unmanaged devices. Never shared via unencrypted email.
- Internal: Operational documents, internal processes, non-sensitive communications. Accessible to all employees. Not shared externally without review.
- Public: Marketing materials, published content, public filings. No access controls required.
Once you have the classification scheme, apply it to your existing data. Microsoft Purview Information Protection and Google Workspace DLP both allow you to label documents and email with classification levels and enforce handling rules automatically.
Encryption
For a small regulated team, the encryption baseline is:
- At rest: Disk encryption on all managed devices (mandatory via MDM). Cloud storage encrypted by the provider (standard for all major cloud services). Client-provided documents stored in an encrypted vault with access controls, not a shared drive folder.
- In transit: TLS 1.2 or higher for all web traffic (enforced by your browser and any reputable SaaS provider). No client documents sent as unencrypted email attachments — use a secure portal with a link to retrieve.
- End-to-end: For particularly sensitive communications — legal advice privilege, high-value transaction details — consider end-to-end encrypted messaging. Signal for consumer use; purpose-built secure platforms for regulated professional communications.
DLP basics
Data Loss Prevention (DLP) for a small team does not require a complex enterprise DLP deployment. The practical minimum:
- Enable the built-in DLP policies in Microsoft Purview or Google Workspace — these automatically detect credit card numbers, national insurance numbers, passport numbers, and other PII in email and file storage, and can warn or block sharing
- Configure your email system to warn before sending externally if the email contains attachments labelled "Restricted"
- Block sharing of items from your secure document vault to external email — require portal access instead
- Enable audit logging for all file access and download events in your document storage
The 4-week zero trust implementation sprint
Here is a realistic, week-by-week plan for a team of 10–50 people with no dedicated security engineer. Each week builds on the last. This is not a full enterprise deployment — it is the baseline that addresses 80–90% of real-world attack vectors for regulated small teams.
Identity
- Enable mandatory MFA for all users in Microsoft 365 / Google Workspace
- Migrate from SMS MFA to authenticator app for all users
- Audit all user accounts — remove any ex-employee accounts, shared accounts, or service accounts with no documented owner
- Enable SSO for your top 5 most-used business applications
- Block legacy authentication protocols (basic auth, SMTP auth for non-mail apps)
- Document your intended RBAC role structure
Device
- Enrol all company-owned devices in MDM (Intune, Jamf Now, or JumpCloud)
- Enforce disk encryption on all enrolled devices
- Create a BYOD policy and communicate minimum requirements to all staff
- Enable conditional access: require compliant device for access to Restricted-tier applications
- Verify that all enrolled devices have current OS patches applied
- Test remote wipe capability on a test device before relying on it for production
Application & Network
- Run a full OAuth audit — identify and revoke over-permissioned or unused third-party applications
- Configure geo-blocking conditional access policy — block sign-in from countries with no business presence
- If on-premises resources exist, deploy Cloudflare Access or Tailscale to replace VPN for remote access
- Review admin rights in every business-critical application — reduce to minimum required
- Document all currently-used SaaS applications (the full list will surprise you)
- Establish an application approval process — new SaaS tools require IT sign-off before OAuth authorisation
Data
- Apply the three-tier classification scheme to all data stores — document vault, email, cloud storage
- Enable built-in DLP policies for PII detection in Microsoft Purview or Google Workspace
- Implement RBAC roles across your CRM, document management, and client portal
- Verify that client portal users can access only their own files
- Enable audit logging for all file access and download events
- Run a tabletop exercise: "A fee earner's laptop is stolen. What do we do?" Walk through the actual steps.
After four weeks: MFA blocks automated credential attacks. SSO means you can deprovision a leaver in one action. Managed devices mean you can remotely wipe a lost laptop. Conditional access means an attacker in a foreign country cannot use stolen credentials. OAuth cleanup removes dozens of shadow IT connections. DLP means accidental PII leaks generate alerts before they become incidents. This is not a perfect zero trust architecture — but it is a qualitative step-change from where most small teams start.
Budget reality check for a 20-person team
A common objection to zero trust for small teams is cost. Here is the realistic monthly budget for a 20-person regulated team implementing the framework described in this guide.
| Component | Tool (example) | Monthly cost (20 users) | Notes |
|---|---|---|---|
| Identity + MFA + SSO + MDM + DLP | Microsoft 365 Business Premium | $440 | $22/user/month. Includes Intune MDM, Entra ID P1, Defender for Business, Purview DLP, Authenticator app. |
| ZTNA (if on-prem resources exist) | Cloudflare Zero Trust | $0–$100 | Free up to 50 users for core features. Pay tier at $7/user/month adds Gateway and email security. |
| Device management (macOS-heavy) | Jamf Now | $0–$80 | $4/device/month for managed Apple devices. If using Intune already (included in M365 BP), may not be needed. |
| SaaS audit / SSPM | Nudge Security | $0–$200 | Free tier covers basic visibility. Paid tier at $10/user/month adds enforcement and policies. |
| Secure client portal + RBAC | HubSecure | ~$300–$600 | Replaces insecure email document exchange with a compliant portal with built-in RBAC and audit trail. |
| Total range | $740–$1,420/month | Depending on tool choices and whether Cloudflare paid tier is needed. | |
To contextualise: a single data breach involving client personal data typically costs a small professional services firm £50,000–£200,000 when you factor in regulatory fines (ICO enforcement), client notification obligations, incident response costs, reputational damage, and legal defence. The annualised cost of the zero trust baseline above is $8,880–$17,040. That is the premium on an insurance policy that covers the most catastrophic operational risk your firm faces.
Note on Microsoft 365 Business Premium: If your team is already on M365 Business Standard, upgrading to Premium ($22/user vs $12.50/user) unlocks Intune, Defender for Business, Entra ID P1, and Purview — which together cover identity, device, and data pillars without any additional tools. For most small regulated teams using Microsoft, this single upgrade is the highest-leverage first move.
Frequently asked questions
Do we need a dedicated IT person to implement zero trust?
No — but you do need someone with the time and mandate to do it. The four-week sprint described in this guide is achievable by an IT-capable office manager or operations lead using the admin consoles of tools you likely already have. The configuration decisions are not complex; the hard part is getting organisational buy-in and ensuring the policies are actually applied to all users without exceptions. If your organisation has no one with the technical confidence to manage Microsoft 365 admin, a one-time engagement with a managed service provider to set up the baseline is well worth the cost.
We're a small firm using Google Workspace, not Microsoft. Does this guidance still apply?
Yes, with different tool names. Google Workspace Business Plus or Enterprise provides similar capabilities to Microsoft 365 Business Premium — Google's Context-Aware Access for conditional access, endpoint verification for basic device management, Google Workspace DLP for data loss prevention, and Google Workspace SSO for identity federation. The four-week sprint structure applies identically; you just use Google's admin console instead of Microsoft's. The one gap in the Google stack for smaller teams is full-featured MDM — for macOS-heavy teams on Google Workspace, supplementing with Jamf Now is typically recommended.
What is the difference between zero trust and SOC 2 or Cyber Essentials?
SOC 2 and Cyber Essentials are compliance frameworks that certify your security controls against a defined standard. Zero trust is a security architecture — a way of designing access control. They are complementary, not alternatives. Implementing the zero trust baseline described in this guide will satisfy a significant portion of the Cyber Essentials requirements (MFA, access control, managed devices, secure configuration). It will also make a SOC 2 audit substantially easier because the controls are already in place and documented. Zero trust is what you build; the certification is how you prove you built it.
How do we handle contractors and freelancers who need access to client data?
This is one of the most common identity challenges for small teams. The zero trust answer is: never grant a contractor the same access level as a full-time employee. Use guest accounts in your identity provider with time-limited access, scoped to the specific project they need. Use a secure portal for document exchange rather than granting network or shared drive access. Enforce MFA on all guest accounts. Set an automatic access expiry date when the account is created. Review all contractor accounts monthly. When an engagement ends, revoke access that day — not "when someone gets around to it."
How does zero trust protect us from ransomware specifically?
Ransomware typically enters via one of three vectors: a phishing email that delivers a malicious attachment, a credential attack that gives an attacker remote access, or exploitation of an unpatched system. MFA directly addresses the credential attack vector — even with stolen credentials, the attacker cannot authenticate without the second factor. Managed devices with current OS patches address the unpatched system vector. Conditional access (blocking access from unexpected locations and device types) limits what an attacker can do even if they get through. RBAC limits the blast radius — if a compromised account can only access the files that user is permitted to see, the ransomware operator cannot encrypt your entire dataset from that entry point. Zero trust does not make ransomware impossible, but it makes it dramatically harder and significantly limits the damage when it does occur.
See how HubSecure implements zero trust for regulated client operations
HubSecure is built on the zero trust principles described in this guide — RBAC at every layer, audit logging on every access, encrypted document vault, and client portal access that never requires clients to share credentials. In our demo, we show you how it works in a real regulated workflow.
Book a demoReviewed for regulated teams
Prepared by the HubSecure editorial team for IT managers, operations leads, and compliance officers at small regulated firms evaluating zero trust security architecture.