Zero trust is one of those security terms that gets thrown around so much it starts to feel like buzzword soup. But the underlying idea is genuinely important — and understanding it will change how you think about your business's security posture, even if you never formally "implement zero trust."
The core principle is simple: never trust, always verify. Every user, every device, every connection — regardless of whether they're inside your office network or connecting from a coffee shop in Auckland — must be verified before being granted access to anything. No automatic trust. No assumptions.
Why the old perimeter model is dead
The traditional security model imagined a hard shell around your business — a firewall, a secure office network — and assumed that anything inside that shell was safe. If you were on the corporate network, you were trusted. Everyone outside was untrusted.
That model has been obsolete for years, and COVID-19 finished it off completely. Your staff are working from home, from cafes, from hotel rooms. They're accessing business systems from personal laptops, through shared Wi-Fi networks. Your data lives in cloud services — Microsoft 365, Google Workspace, Xero, Dropbox — that are explicitly outside any "perimeter" you control.
The NIST definition: NIST Special Publication 800-207 is the authoritative US government document on zero trust architecture. It defines zero trust as a set of evolving cybersecurity paradigms that "move defenses from static, network-based perimeters to focus on users, assets, and resources." It's technical, but the first two sections are readable and worth skimming if you want the authoritative framework.
When your perimeter is everywhere and nowhere at the same time, defending a perimeter doesn't make sense anymore. You need to defend the things that actually matter — your data, your systems, your accounts — at the point of access itself.
The three core principles of zero trust
1. Verify explicitly
Every access request must be authenticated and authorised based on all available data points: the user's identity, their device, their location, the time of day, the sensitivity of the resource they're requesting. Being on the "right" network isn't enough. Having a valid password isn't enough. Every connection is evaluated in context.
2. Use least-privilege access
Every user and every system gets the minimum level of access needed to do their job — nothing more. A marketing contractor doesn't need access to your financial records. An employee's laptop shouldn't automatically be able to access every server on the network. Access is scoped tightly and granted deliberately, rather than being open by default and locked down reactively.
3. Assume breach
This is the mindset shift that makes zero trust different. Rather than designing your systems around the assumption that you can keep attackers out, you design them around the assumption that a breach will happen — or already has. If an attacker gets into one part of your environment, what can they reach? What data is exposed? How quickly can you detect and contain the damage?
This principle drives microsegmentation — breaking your network into small zones so that a compromise in one area can't automatically reach everything else.
Is zero trust relevant to small businesses?
The full enterprise zero trust architecture — with identity-aware proxies, continuous endpoint monitoring, microsegmented network infrastructure — is overkill for a 10-person business. But the principles are entirely relevant, and many practical implementations are things you should be doing anyway.
In real terms, zero trust thinking for a small NZ business looks like:
- MFA on everything — your email, your accounting software, your cloud storage. No exceptions. This is verify-explicitly in practice.
- Role-based access control — staff have access to what they need, not everything. When someone leaves the business, their access is revoked immediately.
- Device health checks — before accessing business systems, devices should have current operating system updates and active endpoint protection. Google Workspace and Microsoft 365 both have built-in device policy tools to enforce this.
- No shared accounts — every person has their own login credentials. Shared accounts make it impossible to audit who did what, and a single compromised credential grants access to everyone who uses it.
If you use Microsoft 365 or Google Workspace, both platforms have Conditional Access (Microsoft) or Context-Aware Access (Google) built in at certain tiers. These tools let you enforce MFA, require compliant devices, and block access from unexpected locations — which is about 80% of the value of zero trust for a small business, without a major infrastructure project.
When zero trust moves from principle to project
If your business handles sensitive data — customer financial information, health records, legal documents, anything subject to the NZ Privacy Act 2020 — the zero trust framework gives you a structured way to demonstrate that you're taking access control seriously. This matters both for compliance and for client trust.
It also matters as you grow. A 3-person business can manage access informally. A 15-person business with contractors, remote staff, and multiple cloud systems cannot. Building zero trust habits early means you're not retrofitting security into a system that was designed without it.
The bottom line
You don't need to say the words "zero trust" or hire a consultant to implement a framework. You need to ask: if one of my staff accounts were compromised right now, what would an attacker be able to access? If the honest answer is "basically everything," the zero trust principles give you a clear direction for fixing that.
Start with MFA. Audit who has access to what. Remove access that doesn't need to exist. Assume that breaches happen and design for containment. That's zero trust, practically applied.
Your website is part of your security posture too. We build sites that don't create unnecessary exposure — proper configurations, no unnecessary plugins, clean code. If you want to talk about what a well-built site looks like from a security perspective, let's do it.
Book a free call →