Interested in our Cybersecurity Framework?
Visit our article on how to organise an effective cybersecurity strategy to download a copy of our framework.
Instant Email Domain Score
By joining forces with Sendmarc, VirtueUK is committed to offering enhanced security measures, ensuring that sensitive data and communications are protected from cyber-attacks. Check your email domain score instantly here.
Many small to medium organisations with 30–400 users are not compromised due to a complete lack of security. More often, a single stolen password acts as a master key, giving attackers access to multiple systems.
This illustrates a flaw in the traditional “castle-and-moat” approach. Once an attacker breaches the perimeter, they often move through the environment with minimal restrictions. Today, with cloud applications, remote working, shared links, and bring-your-own-device (BYOD) policies, the concept of a network perimeter is no longer clearly defined.
Zero Trust architecture offers a practical solution. It treats every access request as a potential risk, requiring verification every time, regardless of where it originates.
What Is Zero Trust Architecture?
Zero-Trust shifts security away from static network perimeters and focuses on users, assets, and resources. It assumes no implicit trust is granted to accounts or devices based solely on network location or ownership.
Microsoft summarises the principle simply: “never trust, always verify”. Each access request is treated as though it comes from an untrusted network, even if it originates within the office.
The stakes are high. IBM reports that the global average cost of a data breach exceeds $4 million, making risk containment essential.
In practice, Zero-Trust follows three core principles:
- Verify explicitly
- Use least-privilege access
- Assume breach
For organisations, this translates into:
- Identity-first controls: Enforcing strong multi-factor authentication (MFA), blocking legacy authentication methods, and applying stricter policies to administrative accounts.
- Device-aware access: Checking who is signing in and whether the device is managed, patched, and meets security standards.
- Segmentation to limit impact: Dividing systems into smaller zones so access to one area does not automatically grant access to all areas. Cloudflare refers to this as microsegmentation, which prevents lateral movement between systems.
Getting Started
Attempting to implement Zero-Trust across all systems at once often leads to frustration and minimal progress. Instead, begin with a clearly defined protect surface: the critical systems, data, and workflows that matter most and can realistically be secured first.
What Counts as a Protect Surface?
A protect surface typically includes:
- Business-critical applications
- High-value datasets
- Core operational services
- High-risk workflows
Five Protect Surfaces Commonly Prioritised by Small to Medium Organisations
Most small to medium organisations with 30–400 users, start with:
- Identity and email systems
- Finance and payment platforms
- Client data storage
- Remote access pathways
- Administrative accounts and management tools
As BizTech emphasises, there is no “Zero Trust in a box”. Success relies on the right combination of people, processes, and technology.
The Zero Trust Roadmap
A roadmap turns Zero-Trust from concept into action. Each phase builds on the previous one, delivering meaningful risk reduction without overcomplicating workflows.
1. Start with Identity
Access decisions should be based on who is requesting it and whether they should have access at that moment. Steps include:
- Enforcing MFA across all accounts
- Eliminating weak sign-in methods
- Separating administrative accounts from daily user accounts
2. Include Devices in Trust Decisions
Zero-Trust evaluates not just credentials but device security. Microsoft guidance highlights securing both managed devices and BYOD. Key steps:
- Establish a baseline of security: patched operating systems, disk encryption, and endpoint protection
- Require compliant devices for access to sensitive data
- Implement a BYOD policy that limits access rather than providing unrestricted entry
3. Apply Least-Privilege Access
Users should only have access to the resources required for their role. Practical actions include:
- Removing shared login accounts and broad access groups
- Using role-based access to define permissions by job function
- Requiring additional verification for administrative privileges and logging all elevated access
4. Secure Applications and Data
Access should be verified at the resource level, particularly in cloud environments. Start with your protect surface:
- Tighten sharing settings
- Require stronger sign-in checks for high-risk applications
- Assign accountable owners for every critical system and dataset
5. Assume Breach
Microsegmentation creates smaller, controlled zones so a breach in one area does not compromise everything. Steps include:
- Segmenting critical systems from general user access
- Restricting administrative pathways to management tools
- Minimising lateral movement opportunities
6. Implement Visibility and Response
Verification is continuous and informed by logs, alerts, and threat intelligence. Minimum viable visibility includes:
- Centralising alerts for sign-ins, endpoints, and critical applications
- Defining what constitutes suspicious activity for your protect surface
- Establishing a simple response process
Your Zero-Trust Roadmap
Zero Trust for small to medium organisations with 30–400 users begins with a clear, focused plan rather than a shopping list. Start with a single protect surface and commit to measurable improvements over the next 30 days. Small, consistent steps reduce risk and avoid unnecessary complexity.
If you need support defining your protect surface and building a practical Zero-Trust roadmap, contact us today. We help UK organisations prioritise the right controls, align them to your environment, and transform Zero Trust from theory into steady progress.