← Back to all posts

Zero Trust for Normal People

March 9, 2026

Zero Trust for Normal People

Zero Trust for Normal People

When I talk to executives about security, they're often intimidated by one phrase: zero trust.

They picture a sprawling security operations centre, mission control dashboards, and a team of analysts watching every click.

But here's the truth: zero trust security explained simply is just a mindset shift. It's about verifying every access request instead of assuming trust because someone is inside the network.

You don't need a SOC. You just need practical controls, common sense, and a bit of discipline.

What Zero Trust Actually Means

The traditional model was: "Perimeter defence." Firewalls, VPNs, and trust that everyone inside the network is legitimate.

Zero trust flips that:

  • Never trust, always verify. No matter where the request comes from.
  • Assume breach. Treat every request as if it might be malicious.
  • Least privilege. Only give access to what someone needs.
  • Micro-segmentation. Break your network into smaller, more secure segments.

It doesn't have to be complex. You can start with your identity layer—the part where people often get hacked.

The Identity-First Approach (Where SMBs Can Start)

If you're wondering how to start, identity is the low-hanging fruit:

Step 1: MFA Everywhere

If you want to adopt zero trust, start with multi-factor authentication on every account.

Not just for admins. Not just for privileged systems. Every user, every application.

It stops credential theft, which is how most attackers get in. It's the simplest way to verify requests.

Step 2: Conditional Access

Set policies that evaluate:

  • Who is requesting access
  • From what device (managed vs unmanaged)
  • From what location
  • For which application

You can require MFA for risky requests (new device, unknown location, sensitive app) and relax it for trusted scenarios.

This is zero trust in action: you're not trusting a login just because it came from inside VPN. You're evaluating risk and requiring verification.

Step 3: Least Privilege

Review admin rights regularly. Most people have more access than they need.

  • Use role-based access controls (RBAC)
  • Remove access when roles change
  • Review access quarterly

This makes lateral movement harder for attackers.

Step 4: Device Hygiene

Know which devices are connecting to your network. Manage them.

  • Enforce disk encryption
  • Keep operating systems patched
  • Install endpoint detection (EDR)
  • Block unmanaged devices when they try to access sensitive systems

Even at a small business, you can use tools like Microsoft Intune or JAMF to manage devices.

Securing your workplace? You're probably your family's IT person too.

The same principles that protect enterprise data—verify every request, lock down access, and treat every device with suspicion—work just as well at home. But most families have none of it.

Get my Personal Security Quick-Start Guide — the 193-page practical handbook for busy people who want to protect their families without becoming cybersecurity experts.

Plus: Join 158+ Australians getting one 5-minute security briefing every Friday.

Get The Free Guide →

Zero Trust Without the Fancy Tooling

You don't need to buy the latest zero trust platform. Here’s what you can do with tools you already have:

Use Your Identity Provider

Most identity providers (Okta, Azure AD, JumpCloud) already have zero trust features:

  • Conditional access policies
  • Device compliance checks
  • Application segmentation
  • Threat detection

Configure them properly. Don't treat them as "just another login screen." Make them the central control plane.

Segment Critical Data

You don't need micro-segmentation across the entire network. Start with what matters:

  • Finance systems
  • HR data
  • Customer data
  • Intellectual property

Restrict access to these systems. Keep them on separate VLANs or use application-level segmentation. Use firewall rules to limit communication.

Log Everything (Even If You Don't Have a SIEM)

You don't need a SIEM to start logging. Use built-in logging in your identity provider, firewall, and endpoint tools.

Collect logs centrally (even if it's just manual exports). Review them weekly. Look for:

  • Failed logins from outside Australia
  • Unusual privilege escalations
  • New device enrolments

The Human Side of Zero Trust

Zero trust isn't just about technology. It's about culture.

People need to understand why you're asking them to verify themselves again. Don't make MFA feel punitive. Explain: "We're verifying every login because attackers are already inside our network. This is how we stop them."

Train your staff:

  • Why they shouldn't skip MFA prompts
  • How to handle suspicious requests (call the requester, confirm via another channel)
  • The importance of reporting anomalies

Focus on user education, not just technology.

Zero Trust vs. Legacy Systems

Many businesses have legacy systems that don't support modern authentication. Here's how to handle them:

Option 1: Put them behind a Zero Trust Gateway

Use a reverse proxy or VPN appliance that enforces MFA before the legacy system is accessible.

Option 2: Isolate them

Keep the old system on a segmented network. Limit who can access it. Monitor every connection.

Option 3: Containerize or Replace

If it's feasible, replace the legacy system with a modern alternative. If not, wrap it with modern controls.

The goal is to avoid blindly trusting the old system just because it's "always been there."

How to Measure Zero Trust Progress

Stop measuring zero trust by how many tools you've bought. Measure it by behaviour:

  • Percentage of access requests validated with MFA
  • Number of privileged accounts reviewed each quarter
  • Time to detect unauthorized access attempts
  • Number of security incidents involving lateral movement

Zero trust success looks like fewer compromised accounts, faster detection, and a culture of verification.

The Family Zero Trust Experiment

Here's a fun experiment: apply zero trust at home for a week.

  • Require MFA on family accounts (Netflix, Apple ID, banking)
  • Verify new devices before they connect to Wi-Fi
  • Limit access to shared folders ("financials" vs "photos")
  • Monitor for unusual login attempts and talk about them at dinner

You'll realise how often you just trust things without thinking. The same laziness exists at work.

And when you get tired of it, you can relax the family policy temporarily. You can't do that easily at work.

If you want to learn more about identity-first security, read our guide to MFA rollout best practices. Zero trust starts with identity.

Mathew Clark
Founder, SecureInSeconds
Currently: Verifying every login from my holiday cottage Wi-Fi, because we assume breach here too

Further Reading: