TL;DR

Zero trust for a 10-50 person business does not mean buying an enterprise stack or rebuilding your network from scratch. It means enforcing identity, device posture, least-privilege access, application controls, and data protection in a staged 90-day rollout using tools your team can actually operate.

The fastest path for most Australian SMBs is to start with identity and device trust, then replace broad VPN-style access with app-level or device-aware access, and finally tighten data and admin controls. Recent 2026 exploit and KEV activity is a reminder that unpatched systems and over-trusted remote access still give attackers their easiest path in.

Zero trust in 2026 means “never trust by location”

For small businesses, zero trust is not a product. It is an operating model: every access request is evaluated on who the user is, what device they are using, what they are trying to reach, and whether the action is appropriate.

That matters more in 2026 because the attack pattern has not changed as much as the marketing has. Attackers still win through compromised credentials, unmanaged endpoints, exposed admin portals, stale remote access, and delayed patching. Weekly KEV additions and rapid weaponisation of fresh flaws show the same lesson repeatedly: if your controls assume “inside the network = trusted”, you are already behind.

The five pillars SMBs actually need to implement

1. Identity

Identity is the control plane. If this is weak, everything else becomes theatre.

For most 10-50 seat businesses, the sensible choices are:

  • Microsoft Entra ID if you already use Microsoft 365 Business Premium
  • Okta if you are heavily SaaS-centric and need deep app integrations
  • Authentik if you need self-hosted SSO for internal apps and have Linux capability

Baseline controls:

  • Enforce MFA for all users, not just admins
  • Disable legacy auth protocols where possible
  • Create separate admin accounts for privileged work
  • Use conditional access or sign-on policies based on risk, location, and device state
  • Map every SaaS app to SSO before adding more security tooling

Concrete minimum:

  • Entra ID: require MFA for all cloud apps, block sign-in from non-compliant devices for admin roles
  • Okta: enforce phishing-resistant factors for admins, app sign-on policies per group
  • Authentik: front internal apps with SSO and short session lifetimes, but do not treat it as a full MDM replacement

2. Device

Zero trust fails when unmanaged laptops can still access email, files, and admin consoles.

Practical options:

  • Intune for Windows-first or Microsoft 365 shops
  • Jamf Pro or Jamf Now for Mac-heavy businesses
  • Combined Intune + Jamf if you are mixed-platform

Minimum device posture:

  • Full-disk encryption enabled
  • EDR or Defender enabled
  • OS auto-update enforced
  • Local admin removed from standard users
  • Screen lock and strong passcode policy
  • Compliance policy feeding access decisions into the IdP

3. Network

The goal is not a flatter VPN. The goal is less network trust.

Good SMB options:

  • Tailscale for private device-to-device and service access with identity-aware ACLs
  • Cloudflare Zero Trust for browser-based access to internal web apps, SSH, and RDP via policies

Practical rule:

  • Use Tailscale where staff need reliable access to private services, NAS, or RDP from managed devices
  • Use Cloudflare Access where you can publish a web app or protect admin panels without exposing them directly

4. Application

Every application should have named access, not shared passwords and not “anyone on the office Wi-Fi”.

Do this:

  • Put line-of-business apps behind SSO
  • Remove shared admin logins
  • Restrict admin consoles to specific groups
  • Use short-lived access and logging for SSH, RDP, and web admin

5. Data

Data protection is where zero trust becomes useful to the business, not just the security team.

Baseline controls:

  • Classify finance, HR, customer, and IP data
  • Limit download and sharing rights
  • Encrypt devices and cloud storage
  • Turn on basic DLP for email and file sharing
  • Separate backup credentials from daily user accounts

A 90-day rollout plan for a 10-50 headcount business

Weeks 1-2: Fix identity and inventory first

Do not start with network diagrams. Start with truth.

Actions:

  • Inventory users, devices, SaaS apps, admin accounts, and remote access methods
  • Pick one primary IdP: Entra ID, Okta, or Authentik
  • Turn on MFA for all users and require separate admin accounts
  • Disable dormant accounts and remove shared credentials
  • Define your device baseline: supported OS versions, encryption, EDR, patching, lock screen
  • Identify internet-exposed admin surfaces: RDP, VPN, firewall login pages, NAS portals, WordPress admin, remote support tools

Success metric:

  • 100% of active users on MFA
  • 100% of admin access through named accounts
  • Written list of all devices and business-critical apps

Weeks 3-6: Enrol devices and replace broad access

Now enforce trust on endpoints and reduce network exposure.

Actions:

  • Enrol business laptops into Intune or Jamf
  • Create compliant/non-compliant device policies
  • Remove local admin from standard users
  • Roll out Tailscale or Cloudflare Zero Trust to a pilot group
  • Replace legacy VPN access for at least one internal service
  • Put internal web apps behind Cloudflare Access or equivalent SSO gate
  • Create Tailscale ACLs by role, not by “everyone can reach everything”

Example SMB policy set:

  • Finance can access Xero and payroll from any MFA-authenticated device, but admin functions require compliant devices
  • IT admins can SSH or RDP only from compliant devices in the admin group
  • Directors can access board files only from encrypted managed devices

Success metric:

  • At least 80% of business devices enrolled
  • One remote access path removed or locked down
  • At least three key apps behind SSO

Weeks 7-12: Tighten data, logging, and privileged access

This is where the rollout becomes durable.

Actions:

  • Turn on basic DLP for Microsoft 365 or Google Workspace
  • Restrict external file sharing defaults
  • Separate backup, break-glass, and daily admin identities
  • Add alerting for risky sign-ins, impossible travel, disabled EDR, and new admin assignment
  • Review app permissions and remove stale OAuth grants
  • Document incident response for stolen laptop, compromised mailbox, and ransomware

Success metric:

  • All privileged roles protected by stronger policy
  • Logging retained centrally
  • Default file-sharing posture reviewed and reduced
  • Incident playbook tested once

The three mistakes SMBs make

1. Treating zero trust as a network project

If you start with firewalls and tunnels before identity and device posture, you build complexity without assurance.

2. Allowing unmanaged devices to remain “temporary exceptions”

Those exceptions become permanent. In most SMB breaches, the bypass path is the real environment.

3. Buying too many tools before standardising access

A clean Entra ID or Okta rollout plus Intune or Jamf plus one access layer is better than six partially deployed products and no enforcement.

FAQ

Yes. A 15-person firm with Microsoft 365, Xero, cloud storage, and remote work already has a distributed environment. Zero trust is just the disciplined way to control it.

Choose Entra ID if you are already in Microsoft 365. Choose Okta if your estate is mostly third-party SaaS. Choose Authentik if you need self-hosted SSO for internal apps and can support it properly.

Not usually. Tailscale is excellent for private connectivity and device-aware access, but you still need strong identity, device management, and data controls.

For most 10-50 person businesses, the first 90 days should focus on licences and rollout effort you can sustain. Business Premium plus Intune, or Okta plus Jamf, is usually more realistic than a full enterprise security stack.

Conclusion

Zero trust in a small business should be boring, enforceable, and measurable. Start with identity, bind access to compliant devices, reduce broad remote access, and then lock down privileged workflows and sensitive data.

If you are an Australian SMB technical lead, the best next step is not a strategy workshop. It is a 90-day rollout plan with named owners, pilot groups, and hard deadlines. Visit consult.lil.business for a free cybersecurity assessment.

References

  1. NIST SP 800-207: Zero Trust Architecture
  2. Australian Cyber Security Centre: Essential Eight Maturity Model
  3. Microsoft Learn: Conditional Access in Microsoft Entra ID
  4. Tailscale ACL Policy File Documentation
  5. Cloudflare Zero Trust Access Documentation

How AI Helps Your Business Make Smarter Choices (ELI10 Edition)

TL;DR

  • Running a business means making lots of big decisions — and most people make them on gut feeling, which is risky
  • AI can look at all your business data and help you make smarter choices, like a super-powered advisor
  • Businesses using AI to make decisions see up to 3× more revenue per person than businesses that don't [1]
  • You don't need to be a data expert — the tools do the hard work
  • lil.business can help you set up the right AI tools for YOUR business decisions

Every Business Makes Decisions. Most Are Guesses.

Think about the decisions running a business involves:

  • How much stock should you order this month?
  • Should you hire another person?
  • Is your pricing right, or are you leaving money on the table?
  • When will you have a cash flow problem — before it happens?
  • Which customers are about to leave?

Most small business owners answer these questions based on experience and gut feeling. That's not a bad thing — experience matters. But gut feeling can only process so much information. Your brain can't track 500 customers' buying patterns simultaneously, or spot a pricing opportunity hidden in three years of sales data.

AI can. And when businesses use AI to support their decisions, the results are measurable. According to PwC's Global AI Jobs Barometer, businesses using AI show 3× higher revenue growth per worker than those that don't [1].

Think of AI as a Really Smart Business Analyst

Imagine hiring a brilliant analyst who:

  • Read every sales record, invoice, and customer interaction your business has ever had
  • Can spot patterns in all that data in seconds (like "you always run out of X product in September")
  • Never gets tired, never goes home, and updates their analysis every day automatically
  • Gives you a clear recommendation before you need to make an important decision

That's what AI decision support does. It's not replacing your judgment — it's giving you much better information to apply your judgment to.

McKinsey estimates that AI could unlock between US$2.6 trillion and US$4.4 trillion in value for businesses globally [2]. The biggest chunk of that value comes from better decisions — in pricing, in staffing, in what to stock, in who to sell to.

Real Examples of What AI Can Help You Decide

"How much should I order?"

AI inventory forecasting looks at your past sales, factors in seasons (Christmas rush, school holidays, winter) and even the weather if it matters for your business — and tells you exactly how much to order, weeks in advance.

Instead of ordering too much (money stuck in stock you can't sell) or too little (missing sales because you've run out), AI keeps you in the sweet spot.

Businesses using AI for this kind of forecasting have reduced their errors by 30–50% compared to doing it manually [3].

"Are my prices right?"

This is a sneaky one. Most small businesses set prices once and barely change them. AI pricing tools look at what's selling, what's not, when demand is high, and where you have room to charge more — or where you're pricing yourself out of sales.

You don't need to change prices every hour like an airline does. Even using AI to review your pricing once a quarter can catch significant opportunities you'd otherwise miss.

"Am I going to run out of cash?"

Cash flow problems are the number-one reason small businesses close — even profitable ones. The money's owed to you, but it hasn't arrived yet, and your bills are due.

AI cash flow tools plug into your accounting system (like Xero or MYOB) and show you, weeks in advance, when you're going to be short. That gives you time to chase invoices, delay a purchase, or arrange a short-term credit line before it becomes a crisis.

IBM used AI on its own finances and is on track to save US$4.5 billion by the end of 2025 [4]. You won't save billions, but the proportional impact on an SMB can be just as significant.

"Should I hire someone?"

AI HR tools look at your sales patterns, workload data, and team capacity — and tell you when you're genuinely understaffed (not just stressed) and when you can handle more without hiring. They can also help screen job applications by matching candidates to the profile of your best performers.

AI Doesn't Make the Decision. You Do.

This is really important to understand. AI gives you better information. You still make the call.

Think of it like GPS navigation. GPS tells you the fastest route based on traffic data, but you can choose to ignore it because you know a shortcut the GPS doesn't. Your local knowledge and judgment still matter — you just have much better information to work with.

Gartner (a tech research company) predicts that by 2028, only about 15% of day-to-day business decisions will be made fully by AI on its own [5]. The rest still need a human. The goal is making that human (you) as well-informed as possible.

"But I'm Not a Data Person"

You don't need to be. Modern AI business tools are designed for normal business owners, not data scientists.

Most of them connect directly to the tools you're already using — your accounting software, your website analytics, your POS system — and present the insights in plain language, not graphs that require a statistics degree.

The setup is where it helps to have an expert. lil.business makes sure you connect the right data sources, configure the tools correctly, and understand how to interpret what you're seeing. After setup, the tools run themselves.

One Important Rule: Keep Humans In Charge of Big Decisions

As AI tools get better, it's tempting to let them make more decisions automatically. For small stuff (reordering common stock, routing routine customer emails) — go for it.

But for decisions that really matter — hiring, pricing strategy, major purchases, entering a new market — always keep a human in the loop. Not because AI is bad, but because AI can only see the data it has access to. It can't see the conversation you had at an industry event, or the new competitor you heard is moving into your area, or the regulatory change you know is coming.

Your judgment, combined with AI's data processing, is more powerful than either alone.

FAQ

Yes, sometimes. AI is as good as the data it's trained on. If your data is incomplete, or if something unusual happens (a new competitor, a pandemic), AI can miss it. That's why you always review AI recommendations before acting on them, especially for big decisions.

No — and this is something lil.business specifically checks. Some AI tools use your business data to train shared models (which means your data helps a competitor's AI). lil.business only recommends tools with strong data privacy policies, and we configure them to protect your information.

You'll start seeing better data visibility from day one. But improved decisions take time to demonstrate — you need to make some decisions, see the outcomes, and compare them to your old approach. Most businesses see clear evidence of improvement within 3–6 months.

Most AI decision-support tools for SMBs cost AU$100–$500 per month. Given that better inventory decisions, pricing, and cash flow management can easily save multiples of that, the ROI is usually straightforward to demonstrate.

This is a real challenge — and one of the most common reasons AI implementations fail. The key is starting with a use case that genuinely helps the person doing the work, not just the business owner. When a team member sees AI saving them two hours of weekly report-building, they become advocates. lil.business helps design AI roll-outs that bring teams along rather than forcing change from the top.

What to Do Next

  1. Pick one decision your business makes regularly that you find stressful or uncertain
  2. Ask yourself what data you'd need to feel confident making that decision
  3. Book a free chat with lil.business — we'll tell you if AI can help and what it would take to set it up

Better decisions compound. One better pricing decision this quarter leads to higher margins next year. One better hiring decision this month leads to a stronger team for years. The sooner you start, the more those improvements add up.

References

[1] PwC, "2024 Global AI Jobs Barometer," PwC Global, May 2024. [Online]. Available: https://www.pwc.com/gx/en/issues/artificial-intelligence/ai-jobs-barometer.html

[2] McKinsey & Company, "The Economic Potential of Generative AI: The Next Productivity Frontier," McKinsey Global Institute, Jun. 2023. [Online]. Available: https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/the-economic-potential-of-generative-ai-the-next-productivity-frontier

[3] Deloitte, "AI in Supply Chain: Predictive Analytics and Lead-Time Variability," Deloitte Insights, 2023. [Online]. Available: https://www2.deloitte.com/insights/us/en/industry/retail-distribution/ai-in-supply-chain.html

[4] IBM, "Enterprise Transformation and Extreme Productivity with AI," IBM Think Insights, Jan. 2026. [Online]. Available: https://www.ibm.com/think/insights/enterprise-transformation-extreme-productivity-ai

[5] Gartner, "Top Strategic Technology Trends for 2025: Agentic AI," Gartner, Oct. 2024. [Online]. Available: https://www.gartner.com/en/documents/5850847

[6] McKinsey & Company, "The State of AI in 2025," McKinsey Global Institute, Nov. 2025. [Online]. Available: https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai

[7] Mercer, "2024–2025 Global Talent Trends Report," Mercer, 2024. [Online]. Available: https://www.mercer.com/assets/za/en_za/shared-assets/global/attachments/pdf-mercer-2024-2025-global-talent-trends.pdf

[8] Bain & Company, "Survey: Generative AI Uptake Is Unprecedented Despite Roadblocks," Bain & Company, Oct. 2024. [Online]. Available: https://www.bain.com/insights/survey-generative-ai-uptake-is-unprecedented-despite-roadblocks/

[9] Federal Reserve Bank of St. Louis, "The Impact of Generative AI on Work Productivity," On the Economy Blog, Feb. 2025. [Online]. Available: https://www.stlouisfed.org/on-the-economy/2025/feb/impact-generative-ai-work-productivity

Ready to stop guessing and start deciding with confidence? Book a free consultation with lil.business — we'll help you figure out which AI tools will make the biggest difference to the decisions that matter most in your business.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation