TL;DR

Zero trust is not a product — it's a security model built on explicit verification, least-privilege access, and breach assumption. For a mid-size Australian business (10-50 staff), a phased 90-day rollout using identity providers (Entra ID, Okta, or Authentik), device management (Intune or Jamf), and network micro-segmentation (Tailscale or Cloudflare Zero Trust) delivers measurable risk reduction without a $1M budget. This guide walks you through the five pillars, a staged implementation plan with concrete config choices, and the three most expensive mistakes SMBs make.​‌‌‌‌​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌​‌‌​​‍​‌‌​‌‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌‌‌​‌​‍​‌‌​​‌​‌

Why 2026 is the Year to Adopt Zero Trust

The old perimeter model died when work went hybrid. By 2026, 84% of data breaches still involve compromised credentials (Verizon DBIR 2025). Australian Signals Directorate Essential Eight Maturity Level 2 now aligns with zero-trust principles. CISA’s Known Exploited Vulnerabilities (KEV) catalog is adding multiple actively exploited edge-device flaws every week — firewalls and VPNs are the attack surface, not the solution. For a mid-size business, zero trust means every access request is authenticated, authorised, and encrypted — regardless of network location.

The Five Pillars: A Practical Lens

Identity
This is the new perimeter. Deploy phishing-resistant MFA (FIDO2

/ Windows Hello for Business). Choose an identity provider: Microsoft Entra ID (free tier + P1 for conditional access), Okta (mid-market sweet spot), or Authentik (open-source, self-hosted). Enforce conditional access: block legacy auth, require compliant device, apply risk-based step-up.​‌‌‌‌​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌​‌‌​​‍​‌‌​‌‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌‌‌​‌​‍​‌‌​​‌​‌

Device
Every endpoint must be enrolled in MDM and prove it's healthy before accessing data. Microsoft Intune (included in Business Premium, ~$30/user) for Windows; Jamf Pro for macOS. Enforce disk encryption, minimum OS version, and configuration profiles. Block non-compliant devices at the IdP level.

Network
Replace "trusted VLAN" with encrypted peer-to-peer mesh. Tailscale's free tier covers up to 100 users with ACLs per device; Cloudflare Zero Trust ($7/user/month) combines ZTNA with remote browser isolation. All traffic gets TLS 1.3, mutual authentication, and default-deny unless explicitly allowed.

Application
Apps must support modern auth (SAML, OIDC). For line-of-business apps that don't, place them behind a Cloudflare Tunnel or Azure App Proxy — no inbound firewall rules. Segment access by sensitivity: payroll apps require PIM/PAM elevation, generic fileshares get user-level RBAC only.

Data
Classify into public, internal, confidential, and regulated. Apply Microsoft Purview sensitivity labels or your DLP tool of choice. Encrypt at rest (BitLocker, FileVault) and in transit (TLS 1.2+). Log every data access event and feed to a SIEM — even if it's just Microsoft Sentinel's free tier.

90-Day Staged Rollout

Weeks 1–2: Identity Foundations

  • Choose IdP. For Microsoft shops on Business Premium, go Entra ID + Windows Hello (FIDO2 ready, no extra cost). Mac-heavy teams: Okta for easy Jamf integration; budget-conscious with in-house Linux skills: Authentik on an Azure B2s VM.
  • Enforce MFA for all users, including admins. Block legacy authentication via conditional access policy.
  • Register every user's device in Entra ID or Okta; begin device compliance baseline.

Weeks 3–6: Device and Network Segmentation

  • Deploy Intune or Jamf. Push compliance policies (encryption, firewall on, OS patch level).
  • Roll out Tailscale (or Cloudflare ZTNA) to 20% of users. Start with dev team or IT staff. Replace VPN access to internal servers with tagged ACLs. All traffic logs available for audit.
  • Create one “break-glass” account with time-limited, just-in-time admin access, logged and alerted.

Weeks 7–12: Application and Data Enforcement

  • Migrate all apps behind ZTNA proxy. Sunset any remaining port-forwarded services.
  • Apply sensitivity labels to SharePoint/OneDrive and on-premise file shares.
  • Connect device compliance to conditional access: block non-compliant devices from all company resources.
  • Run a live-fire test: simulate a compromised credential (with a temporary test account) and confirm it cannot access anything without device context and location checks.

Throughout all phases, patch actively exploited vulnerabilities in edge devices — CISA KEV is your weekly to-do list.

Three Mistakes Most SMBs Make

1. Boiling the Ocean
They try to deploy all five pillars simultaneously on Day 1 with no staging. Result: user revolt, IT burnout, project abandoned. Fix: Identity and device take priority. Network segmentation follows. Data classification comes last.

2. Ignoring Legacy Apps
A 15-year-old accounting system that only supports LDAP plaintext will break zero trust. Instead of excluding it from policy (the common sin), place it behind an IdP-aware proxy with session encryption — Authentik's outpost or Azure App Proxy.

3. Skipping Device Trust
MFA alone won't stop an attacker who phishes credentials and logs in from a clean browser. Without device compliance enforcement, you have one-factor authentication. Fix: Require a compliant, enrolled device before granting any access to internal resources.

FAQ

Q: Do we need to replace our firewall with zero trust?
No. Keep your perimeter firewall for DDoS protection and basic filtering, but stop trusting it as your primary security layer. Zero trust assumes the network is hostile.

Q: How much does a practical zero trust implementation cost for 30 users?
Using Microsoft 365 Business Premium (~$30/user/month with Entra ID P1, Intune, Defender for Business) plus Tailscale free tier, the incremental cost can be near zero if you already have M365. Okta + Jamf + Cloudflare ZTNA for 30 users runs roughly $9,000–$12,000/year.

Q: Can we self-host everything with open source?
Yes. Authentik for identity, Wazuh for SIEM/detection, Tailscale's Headscale (open-source coordination server), and Snipe-IT for asset management. Requires in-house Linux expertise, but total licence cost is $0.

Q: What’s the biggest quick win?
Disable legacy authentication protocols (POP, IMAP, SMTP auth, ActiveSync) in your IdP conditional access policy. It stops 99% of brute-force and password spray attacks within minutes.

Conclusion

Zero trust isn't a single tool purchase — it's an architectural shift that pays off in reduced insurance premiums, faster breach detection, and meeting Essential Eight compliance. The 90-day plan above gives you measurable benchmarks without overwhelming your team. Start with identity and device, lock down network access, then layer on application and data controls.

Ready to assess your current zero trust maturity? Visit consult.lil.business for a free cybersecurity assessment tailored to Australian SMBs.

References

  1. Australian Signals Directorate – Essential Eight Maturity Model
  2. CISA Known Exploited Vulnerabilities Catalog
  3. Verizon 2025 Data Breach Investigations Report
  4. Microsoft Zero Trust Maturity Model
  5. NIST SP 800-207 Zero Trust Architecture

TL;DR

  • Google found that hackers used 90 secret software holes (called "zero-days") in 2025 to break into computers
  • Nearly half of these attacks targeted business equipment like firewalls and routers, not web browsers
  • The good news: you don't need to patch everything, just focus on the holes hackers are actually using
  • Smart businesses focus on the 1% of problems that matter instead of trying to fix everything

What's a "Zero-Day"? (Simple Explanation)

Imagine you buy a house with a secret door that you didn't know existed. Burglars discover this secret door and start using it to break into houses. The door manufacturer doesn't know about the problem yet, so there's no fix available.

That's a zero-day vulnerability — a secret security hole that:

  • The software maker doesn't know about
  • Has no available fix (patch)
  • Hackers are actively using to break in

The name comes from the idea that the software maker has had zero days to create and release a fix.

Google's security team tracked 90 of these secret holes being used by hackers in 2025 [1]. That's up from 78 in 2024, meaning the problem is growing.

The Big Shift: Hackers Changed Targets

Here's what's really important for business owners: hackers have shifted targets.

Old pattern (before 2025): Hackers mostly focused on web browsers (Chrome, Safari, Firefox) as the way into computers.

New pattern (2025): Hackers now focus on business equipment:

  • Firewalls (the security guards for your internet connection)
  • Routers (the traffic directors for your network)
  • VPN systems (how employees connect remotely)

Google found that 48% of all zero-day attacks in 2025 targeted business systems — the highest level ever recorded [1]. Meanwhile, attacks on browsers dropped to less than 10%.

What this means for you: The equipment you bought to protect your business (firewalls, security appliances) is now the primary target. The assumption that "browsers are the weak point" is outdated.

Related: Cisco Just Patched 48 Firewall Flaws — Including 2 Perfect 10s

Why Business Equipment Is Targeted

Think about it from a hacker's perspective:

Web browsers:

  • Get updated frequently (Chrome updates every 2-4 weeks)
  • Have strong security built in
  • Run on each person's computer, where security software can watch them
  • If hacked, only affect one computer

Business firewalls and routers:

  • Often run for years without updates
  • Have limited security monitoring (often can't run antivirus software)
  • Sit at the edge of your network — if hacked, give access to everything
  • Affect the entire business if compromised

Google points out that limited visibility on these devices is a recurring problem [1] — meaning security teams often can't see what's happening on them until it's too late.

The 1% Rule: Don't Try to Fix Everything

Here's something that might surprise you: across all software companies, there were over 20,000 security issues discovered in 2025 [2].

But Google tracked only 90 that hackers actually used.

This is the 1% Rule: focus on the 1% of problems that are being exploited, ignore the 99% that are theoretical.

Smart businesses don't try to patch everything. They:

  1. Subscribe to alerts from the US cybersecurity agency (CISA) about which vulnerabilities hackers are actually using
  2. Prioritise those for immediate patching
  3. Handle the rest during regular maintenance, not as emergencies

Related: Stop Patching Everything: The 1% Rule That Keeps SMBs Secure Without Burning Out

The Vendor Reality: Cisco, Fortinet, and Others

Google's report specifically mentions that Cisco and Fortinet — two very common business equipment vendors — were frequent targets [1].

This doesn't mean their products are bad. It means:

  • They're widely used (lots of businesses have them)
  • Hackers focus on popular targets (more potential victims)
  • When flaws are found, hackers exploit them quickly

If your business uses Cisco or Fortinet equipment (and many do), the solution isn't to panic and replace everything. The solution is:

  • Keep them updated — Install security patches promptly
  • Monitor them — Watch for unusual activity
  • Protect them — Put them behind additional security layers

Think of it like car safety: just because some car models have had recalls doesn't mean you stop driving. You just stay informed and get the fixes when they're available.

What AI Means for Zero-Days (Future Warning)

Google warns that artificial intelligence will make this problem worse by:

  1. Finding holes faster — AI can test software automatically and find vulnerabilities quicker than human researchers
  2. Building attacks faster — AI can create code to exploit vulnerabilities as soon as they're discovered
  3. Automating everything — What used to take skilled hackers months can now be done in days by AI tools

But AI also helps defenders:

  1. Finding holes first — AI can discover vulnerabilities before hackers do, giving software makers time to fix them
  2. Detecting attacks — AI can spot attack patterns even when the specific vulnerability is unknown
  3. Responding faster — AI can automatically isolate systems and limit damage when attacks occur

The message for businesses: AI-powered security is becoming essential, not optional. The cost of AI security tools is falling, and they're increasingly the only way to keep up with AI-powered attackers.

Related: AI Isn't Building New Attack Playbooks — It's Running Old Ones 44% Faster: What the 2026 IBM X-Force Report Means for Your Business

The Practical Protection Plan

You can't fix zero-days directly (by definition, they're secret and unpatched). But you CAN protect your business:

1. Reduce the Attack Surface (Close Unnecessary Doors)

If a vulnerability exists but can't be reached, it can't be exploited.

What to do:

  • Turn off features you don't use on your firewall and router
  • Disable remote management from the internet (only allow management from inside your network)
  • Separate guest WiFi from business systems (compromised guest devices shouldn't reach business data)

Real impact: The US cybersecurity agency CISA found that over 60% of exploited vulnerabilities in business equipment are reached via exposed management interfaces [2]. Simply closing these interfaces prevents the majority of attacks.

2. Assume Breach, Focus on Detection

Since some zero-days will inevitably be used, focus on catching the attack early.

What to do:

  • Monitor network traffic for unusual patterns (large data transfers at odd hours, connections to unknown servers)
  • Install EDR (Endpoint Detection and Response) on computers that manage your business equipment
  • Keep logs and review them regularly for suspicious activity

Why this works: You can't stop every zero-day, but you can detect when something's wrong and respond before major damage occurs.

3. Patch Smart, Not Hard

When patches become available, focus on the ones that matter:

Priority system:

  1. Urgent (patch within 48 hours) — Vulnerabilities that CISA confirms are being actively exploited by hackers
  2. Important (patch within 30 days) — Critical vulnerabilities from equipment vendors
  3. Routine (patch when convenient) — Everything else, during scheduled maintenance

This approach ensures limited time and resources go to real threats, not theoretical ones.

4. Choose Vendors Wisely

When buying business equipment:

Ask vendors:

  • "How quickly do you patch security issues?"
  • "How do you notify customers about vulnerabilities?"
  • "What security features are built in?"

Research vendors:

  • Check their security track record
  • Look for transparent security practices
  • Avoid vendors with histories of slow patching or hiding problems

The Business Case: Why This Matters for Your Bottom Line

Zero-day protection isn't just security — it's business resilience. Consider:

  • Customer trust — Businesses that demonstrate proactive security win more customers
  • Insurance costs — Cybersecurity insurance premiums are lower for well-protected businesses
  • Regulatory compliance — Laws like GDPR require "appropriate" security measures, and zero-day defense is increasingly considered mandatory
  • Supply chain requirements — Larger customers are starting to require vendors to meet security standards

According to industry research, by 2026, 75% of organisations will treat zero-day protection as a board-level issue [3] — meaning it's discussed by company leadership, not just left to IT.

For small businesses, this is actually an advantage: you can move faster than big companies. Implementing smart security practices is easier with 50 systems than 50,000. Use that agility.

The Reality Check: This Is Happening Now

The 90 zero-days Google tracked in 2025 aren't theoretical. They were used against real businesses: hospitals, hotels, manufacturers, professional services.

The Sileno ransomware attack we discussed earlier (22.9 TB encrypted in 14 hours) likely involved exploitation of one or more vulnerabilities in their systems [4].

This isn't science fiction. It's happening today, to businesses like yours.

What You Can Do This Week

Based on Google's report and current threat landscape, here's your immediate checklist:

  1. Inventory your business equipment — Make a list of every firewall, router, VPN device, and wireless access point. Include model, firmware version, and last patch date.
  2. Check for exposed management — Ensure device management interfaces aren't accessible from the internet. If they are, work with your IT person to close that access.
  3. Subscribe to alerts — Sign up for CISA's Known Exploited Vulnerabilities mailing list. These are the vulnerabilities hackers are actually using.
  4. Review vendor advisories — If you use Cisco, Fortinet, or other major vendors, check their security advisory pages for recent announcements.
  5. Plan your patching — Create a simple system: urgent patches within 48 hours, important patches within 30 days, routine updates during scheduled maintenance.

FAQ

All zero-days are vulnerabilities, but not all vulnerabilities are zero-days.

  • Vulnerability — A security weakness in software. The software maker may know about it and have a fix available.
  • Zero-day — A vulnerability that is secret (unknown to the software maker) and has no fix yet.

Think of it like health:

  • Vulnerability — A known risk (like smoking). Your doctor can give you advice to address it.
  • Zero-day — A new, unknown disease. No treatments exist yet because doctors haven't seen it before.

Since you can't patch what you don't know about, protection focuses on making attacks harder and limiting damage:

  1. Reduce attack surface — Turn off unnecessary features, close exposed management interfaces, and segment networks so compromised devices can't reach everything
  2. Detect compromises early — Monitor network traffic, watch for unusual activity, and have systems that alert you when something's wrong
  3. Limit blast radius — Use network segmentation so even if one device is compromised, the damage doesn't spread

It's like securing a building: you can't guarantee no burglars will ever try to break in, but you can make it harder for them to succeed and limit how much they can steal if they do.

Google's Threat Intelligence Group tracked 90 zero-day vulnerabilities exploited in 2025 [1]. This is up from 78 in 2024, representing a "stabilised range" of activity according to Google.

The breakdown:

  • 48% targeted enterprise systems (firewalls, routers, business software) — highest ever
  • 44% targeted operating systems (Windows, macOS, Android, iOS)
  • Less than 10% targeted browsers — continuing decline

The shift from browsers to enterprise systems reflects the reality that browsers have gotten much harder to exploit, while business equipment often runs neglected and unmonitored.

No. Google identifies them as frequently targeted because they're widely used, not because they're uniquely bad [1]. Cisco and Fortinet have enormous market share. More deployments means:

  • More hackers focusing on them (more potential victims)
  • More zero-days discovered simply because there are more targets

The practical approach:

  • Don't abandon proven vendors — Switching to obscure products doesn't guarantee safety (they may have undiscovered vulnerabilities and less testing)
  • Deploy additional controls — If you use Cisco or Fortinet, layer on extra security: monitoring, segmentation, and rapid patching
  • Stay informed — Subscribe to vendor security advisories and respond quickly when they announce issues

It's like car safety: some car models have had recalls, but that doesn't mean you stop driving. You just stay informed and get the fixes.

CISA is the Cybersecurity & Infrastructure Security Agency — the US government's cybersecurity agency. Their Known Exploited Vulnerabilities Catalog is a list of security holes that hackers are actively using in the wild [2].

Why it matters:

  • CISA focuses on real threats, not theoretical ones
  • Their catalog tells you exactly what hackers are exploiting right now
  • For many US government agencies and contractors, CISA-listed vulnerabilities must be patched by specific deadlines

For small businesses, CISA's catalog is a free prioritization tool: instead of trying to figure out which of 20,000 CVEs to worry about, just focus on the ~100-200 on CISA's list at any given time.

References

[1] Google Threat Intelligence Group, "Zero-Day Vulnerability Analysis 2025," Google, 2026. [Online]. Available: https://securitybrief.com.au/story/google-warns-of-surge-in-enterprise-zero-day-attacks

[2] CISA Known Exploited Vulnerabilities Catalog, "Known Exploited Vulnerabilities Catalog," Cybersecurity & Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

[3] Gartner, "Zero-Day Vulnerability Management: A Board-Level Risk," Gartner, 2025. [Online]. Available: https://www.gartner.com/zero-day-board-risk

[4] Cybersecurity News Everyday, "Ransom! Sileno Companies Inc (MAR-2026)," Hendry Adrian, 2026. [Online]. Available: https://www.hendryadrian.com/ransom-sileno-companies-inc-mar-2026/

Zero-day protection sounds technical, but it's really about smart prioritization and layered defense. lilMONSTER helps small businesses build practical protection against the threats that actually matter — without overwhelming you with technical complexity. We assess your systems, focus on the 1% of vulnerabilities that matter, and build defense-in-depth that keeps you secure. Book a free consultation at consult.lil.business — let's make sure your business is protected against 2026's threats.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation