“Zero Trust” sounds like enterprise fluff. 500-page frameworks, SASE, ZTNA, identity fabrics.
For a 20-person business in Pretoria, it means 3 things. Ignore the rest.
Reality: If you have Microsoft 365 Business Premium, you already own 90% of it. You just haven’t turned it on.
The Only 3 Pillars That Matter for SMEs
1. MFA Everywhere (Identity)
Zero Trust rule: Never trust, always verify. A password is not verification.
- What to do: Enforce MFA on M365, VPN, firewall, accounting software. No exceptions for “it’s annoying”.
- How: Azure AD > Security > Conditional Access > Require MFA for all users. 10 minutes.
- SA context: SAPS reports 80% of BEC cases had no MFA. POPIA fines apply if you didn’t take “reasonable steps”.
2. Device Compliance (Device)
Zero Trust rule: Don’t let infected personal laptops access company data.
- What to do: Only allow email/SharePoint access from devices with: BitLocker on, antivirus updated, OS patched.
- How: Intune (included in Business Premium) > Compliance policies > Mark non-compliant devices > Block access.
- SA context: Load shedding = staff work from home on old personal PCs. This is your #1 risk.
3. Least Privilege Access (Access)
Zero Trust rule: Staff only access what they need. No “admin for everyone”.
- What to do: Remove Global Admin from daily accounts. Finance can’t see HR folders. Sales can’t export all customers.
- How: M365 Admin > Active Users > Remove admin roles. SharePoint > Site permissions > Break inheritance.
- SA context: Disgruntled employee/ex-employee theft is 30% of data breaches. Limit damage radius.
What to Ignore (For Now)
Microsegmentation, SDP, CASB, SWG. These are for 500+ user enterprises. You’ll spend R50k on tools and still get phished if MFA is off.
Get the 3 pillars right first. Audit in 6 months. Add complexity only if you need it.
1-Week Implementation Plan
Day 1-2: Enable MFA for all users. Use number matching. Send staff 2-min video.
Day 3-4: Enroll devices in Intune. Set compliance policy. Block non-compliant.
Day 5: Audit admin roles. Remove Global Admin from 90% of staff. Document who has what.
Day 6-7: Test. Try logging in from personal phone without MFA. Should fail. Try accessing HR folder as sales. Should fail.
Want Us to Do This For You?
Our R950 IT Health Check includes a full Zero Trust audit. We check MFA, device compliance, and privilege creep. You get a 1-page report + we fix it same-day if you want.
Book R950 CheckStill confused? Download the M365 checklist — it covers pillars 1 and 3. Or WhatsApp us and we’ll voice note it in 2 mins.