TL;DR

Zero trust is not a product — it's a security model built on explicit verification, least-privilege access, and breach assumption. For a mid-size Australian business (10-50 staff), a phased 90-day rollout using identity providers (Entra ID, Okta, or Authentik), device management (Intune or Jamf), and network micro-segmentation (Tailscale or Cloudflare Zero Trust) delivers measurable risk reduction without a $1M budget. This guide walks you through the five pillars, a staged implementation plan with concrete config choices, and the three most expensive mistakes SMBs make.​‌‌‌‌​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌​‌‌​​‍​‌‌​‌‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌‌‌​‌​‍​‌‌​​‌​‌

Why 2026 is the Year to Adopt Zero Trust

The old perimeter model died when work went hybrid. By 2026, 84% of data breaches still involve compromised credentials (Verizon DBIR 2025). Australian Signals Directorate Essential Eight Maturity Level 2 now aligns with zero-trust principles. CISA’s Known Exploited Vulnerabilities (KEV) catalog is adding multiple actively exploited edge-device flaws every week — firewalls and VPNs are the attack surface, not the solution. For a mid-size business, zero trust means every access request is authenticated, authorised, and encrypted — regardless of network location.

The Five Pillars: A Practical Lens

Identity
This is the new perimeter. Deploy phishing-resistant MFA (FIDO2

/ Windows Hello for Business). Choose an identity provider: Microsoft Entra ID (free tier + P1 for conditional access), Okta (mid-market sweet spot), or Authentik (open-source, self-hosted). Enforce conditional access: block legacy auth, require compliant device, apply risk-based step-up.​‌‌‌‌​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌​‌‌​​‍​‌‌​‌‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌‌‌​‌​‍​‌‌​​‌​‌

Device
Every endpoint must be enrolled in MDM and prove it's healthy before accessing data. Microsoft Intune (included in Business Premium, ~$30/user) for Windows; Jamf Pro for macOS. Enforce disk encryption, minimum OS version, and configuration profiles. Block non-compliant devices at the IdP level.

Network
Replace "trusted VLAN" with encrypted peer-to-peer mesh. Tailscale's free tier covers up to 100 users with ACLs per device; Cloudflare Zero Trust ($7/user/month) combines ZTNA with remote browser isolation. All traffic gets TLS 1.3, mutual authentication, and default-deny unless explicitly allowed.

Application
Apps must support modern auth (SAML, OIDC). For line-of-business apps that don't, place them behind a Cloudflare Tunnel or Azure App Proxy — no inbound firewall rules. Segment access by sensitivity: payroll apps require PIM/PAM elevation, generic fileshares get user-level RBAC only.

Data
Classify into public, internal, confidential, and regulated. Apply Microsoft Purview sensitivity labels or your DLP tool of choice. Encrypt at rest (BitLocker, FileVault) and in transit (TLS 1.2+). Log every data access event and feed to a SIEM — even if it's just Microsoft Sentinel's free tier.

90-Day Staged Rollout

Weeks 1–2: Identity Foundations

  • Choose IdP. For Microsoft shops on Business Premium, go Entra ID + Windows Hello (FIDO2 ready, no extra cost). Mac-heavy teams: Okta for easy Jamf integration; budget-conscious with in-house Linux skills: Authentik on an Azure B2s VM.
  • Enforce MFA for all users, including admins. Block legacy authentication via conditional access policy.
  • Register every user's device in Entra ID or Okta; begin device compliance baseline.

Weeks 3–6: Device and Network Segmentation

  • Deploy Intune or Jamf. Push compliance policies (encryption, firewall on, OS patch level).
  • Roll out Tailscale (or Cloudflare ZTNA) to 20% of users. Start with dev team or IT staff. Replace VPN access to internal servers with tagged ACLs. All traffic logs available for audit.
  • Create one “break-glass” account with time-limited, just-in-time admin access, logged and alerted.

Weeks 7–12: Application and Data Enforcement

  • Migrate all apps behind ZTNA proxy. Sunset any remaining port-forwarded services.
  • Apply sensitivity labels to SharePoint/OneDrive and on-premise file shares.
  • Connect device compliance to conditional access: block non-compliant devices from all company resources.
  • Run a live-fire test: simulate a compromised credential (with a temporary test account) and confirm it cannot access anything without device context and location checks.

Throughout all phases, patch actively exploited vulnerabilities in edge devices — CISA KEV is your weekly to-do list.

Three Mistakes Most SMBs Make

1. Boiling the Ocean
They try to deploy all five pillars simultaneously on Day 1 with no staging. Result: user revolt, IT burnout, project abandoned. Fix: Identity and device take priority. Network segmentation follows. Data classification comes last.

2. Ignoring Legacy Apps
A 15-year-old accounting system that only supports LDAP plaintext will break zero trust. Instead of excluding it from policy (the common sin), place it behind an IdP-aware proxy with session encryption — Authentik's outpost or Azure App Proxy.

3. Skipping Device Trust
MFA alone won't stop an attacker who phishes credentials and logs in from a clean browser. Without device compliance enforcement, you have one-factor authentication. Fix: Require a compliant, enrolled device before granting any access to internal resources.

FAQ

Q: Do we need to replace our firewall with zero trust?
No. Keep your perimeter firewall for DDoS protection and basic filtering, but stop trusting it as your primary security layer. Zero trust assumes the network is hostile.

Q: How much does a practical zero trust implementation cost for 30 users?
Using Microsoft 365 Business Premium (~$30/user/month with Entra ID P1, Intune, Defender for Business) plus Tailscale free tier, the incremental cost can be near zero if you already have M365. Okta + Jamf + Cloudflare ZTNA for 30 users runs roughly $9,000–$12,000/year.

Q: Can we self-host everything with open source?
Yes. Authentik for identity, Wazuh for SIEM/detection, Tailscale's Headscale (open-source coordination server), and Snipe-IT for asset management. Requires in-house Linux expertise, but total licence cost is $0.

Q: What’s the biggest quick win?
Disable legacy authentication protocols (POP, IMAP, SMTP auth, ActiveSync) in your IdP conditional access policy. It stops 99% of brute-force and password spray attacks within minutes.

Conclusion

Zero trust isn't a single tool purchase — it's an architectural shift that pays off in reduced insurance premiums, faster breach detection, and meeting Essential Eight compliance. The 90-day plan above gives you measurable benchmarks without overwhelming your team. Start with identity and device, lock down network access, then layer on application and data controls.

Ready to assess your current zero trust maturity? Visit consult.lil.business for a free cybersecurity assessment tailored to Australian SMBs.

References

  1. Australian Signals Directorate – Essential Eight Maturity Model
  2. CISA Known Exploited Vulnerabilities Catalog
  3. Verizon 2025 Data Breach Investigations Report
  4. Microsoft Zero Trust Maturity Model
  5. NIST SP 800-207 Zero Trust Architecture

TL;DR

  • A big paint company called AkzoNobel got hacked by bad guys called Anubis
  • The hackers stole 170GB of private files — like contracts, employee passports, and secret documents
  • This teaches us that even big companies with lots of money can get hacked
  • Your business needs to check if the companies you work with are safe too

What Happened to AkzoNobel?

Imagine you have a really big lemonade stand. You sell lemonade all over the world and make $12 billion every year. You'd think you're super safe, right?

That's AkzoNobel. They're a huge company that makes paint (brands like Dulux and Sikkens). They have 35,000 workers and sell paint in 150 countries.

But in March 2026, hackers broke into one of their offices in the United States and stole 170 gigabytes of data [1]. That's like stealing 500,000 photos!

Who Are These Hackers?

The hackers call themselves "Anubis" (named after an Egyptian god). Think of them like a club:

  • Some people build the hacking tools (the "developers")
  • Other people use those tools to attack companies (the "affiliates")
  • When they steal money, they split it: 80% for the attacker, 20% for the tool builder [2]

It's like renting a car. You don't need to build a car yourself — you just rent one and drive. That's why these attacks are happening more often. Any bad guy can "rent" hacking tools now.

What Did the Hackers Steal?

The hackers didn't just steal secret paint formulas. They stole stuff that hurts real people [1]:

  • Secret contracts with other companies (like deals that were supposed to be private)
  • Employee passports (like ID cards that let people travel between countries)
  • Email addresses and phone numbers (so they can send tricky messages pretending to be the company)
  • Private emails between workers
  • Technical documents about how things are made

Imagine someone stealing your diary, your homework, your photo album, and your wallet all at once. That's what happened to AkzoNobel.

Why Should You Care?

You might think: "I'm not a big paint company. This doesn't affect me."

Here's why it matters:

Your business partners can be hacked too. If you work with other companies (suppliers, shipping companies, software services), your data sits on THEIR computers. If THEY get hacked, YOUR data gets stolen too.

It's like leaving your bike at a friend's house. If their house gets robbed, your bike is gone — even though you locked it.

These attacks are getting easier. Remember the "rent a car" example? Hackers can now rent sophisticated attack tools. They don't need to be super smart anymore. They just need to pay.

This means MORE attacks will happen against MORE companies — including small businesses like yours.

Your stolen data can be used against you. If a hacker steals your business contracts, they might:

  • Pretend to be you and trick your customers
  • Tell everyone your secret business deals
  • Use your employee information to steal identities

What Can You Do? (3 Simple Steps)

You can't stop hackers from attacking big companies. But you CAN protect your business:

Step 1: Check your business partners. Before sharing important information with another company, ask them:

  • "How do you keep data safe?"
  • "What happens if you get hacked?"
  • "Do you back up your files?"
  • "Do you use two-factor authentication (like a code sent to your phone)?"

If they can't answer these questions, find a different company to work with.

Step 2: Don't give everyone the keys to your castle. If a delivery person needs to drop off a package, you don't give them your house keys. You just open the front door.

It's the same with business:

  • Only give vendors access to what they NEED (not everything)
  • Make their access expire automatically after a certain time
  • Check what they're doing with your data

Step 3: Have a backup plan. If a vendor tells you "We got hacked and your data was stolen," what do you do?

Think about it NOW, before it happens:

  • Who do you call?
  • How do you tell your customers?
  • Do you have backup copies of important files?
  • What if hackers pretend to be you?

The Most Important Lesson

AkzoNobel has lots of money and security experts. They still got hacked.

The lesson isn't "be perfect." The lesson is:

  • Be careful who you trust with your data
  • Have a plan for when things go wrong
  • Check on your business partners regularly

Security isn't a one-time thing. It's like brushing your teeth — you have to keep doing it.

What Happens Next?

AkzoNobel said they "contained" the attack [1]. That means they stopped the hackers from stealing MORE stuff. But the 170GB they already stole? That's gone forever.

The hackers will probably:

  • Try to sell the data to other bad guys
  • Use the information to trick people
  • Demand money from AkzoNobel to NOT publish the secrets

This is called "double extortion" — they lock your files AND threaten to leak your secrets.

Your Action Items

This week, do these three things:

  1. Make a list of all the companies you share important data with (customer lists, financial info, contracts)
  2. Send an email to your top 3 partners asking about their security (use the questions from Step 1 above)
  3. Write down what you'd do if one of your vendors called and said "We were hacked"

That's it. Three simple steps that could save your business.

FAQ

We don't know yet. Some companies pay (to get their data back). Some companies refuse (because paying encourages more attacks). The FBI and other police say "don't pay," but it's a tough choice when your business is at stake.

Maybe. If the hackers make mistakes (like using their real email address or logging in from a traceable computer), police can track them down. But many hackers live in countries where they can't be easily arrested. That's why prevention is better than trying to catch them later.

If you do business with AkzoNobel or any of their brands (Dulux, Sikkens, International, Interpon), contact your representative there. By law, they have to tell you if your data was stolen. Be careful though — scammers will pretend to be AkzoNobel to trick you! Only trust official letters or emails from addresses you already know are real.

A typical smartphone photo is about 3-4 megabytes (MB). There are 1,000 MB in 1 gigabyte (GB). So 170 GB ÷ 0.004 GB per photo = about 42,500 photos. But business documents (PDFs, spreadsheets, scans) are often smaller than photos. So 170GB of business documents could easily be 500,000+ files. It's just a way to help you imagine how much data was stolen!

Think of it like Uber for hackers. Someone builds the ransomware (the "app"), and other people use it to attack companies (the "drivers"). When a victim pays, the money gets split — most goes to the attacker, some goes to the tool builder. This lets more hackers attack more companies because they don't need to be tech experts anymore [2].

References

[1] BleepingComputer, "Paint maker giant AkzoNobel confirms cyberattack on U.S. site," March 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/paint-maker-giant-akzonobel-confirms-cyberattack-on-us-site/

[2] Kela Cyber, "Anubis: A New Ransomware Threat," 2025. [Online]. Available: http://www.kelacyber.com/blog/anubis-a-new-ransomware-threat/

Security isn't about being perfect — it's about being prepared. lilMONSTER helps small businesses check their vendors, make a plan, and sleep better at night. Book a free chat at https://consult.lil.business?utm_source=blog&utm_medium=post&utm_campaign=akzonobel-eli10

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation