TL;DR

Zero trust isn't an enterprise-only luxury — it's the framework that stops the 15-year-old PowerPoint exploits and unpatched HPE OneView RCEs that fill the CISA KEV catalog every week. For Australian SMBs with 10–50 staff, a staged 90-day rollout across five pillars (identity, device, network, application, data) using tools like Entra ID, Tailscale, and Intune is achievable without a six-figure budget. The three mistakes most SMBs make: rolling out MFA without an identity provider, trusting the VPN as a perimeter, and treating zero trust as a product rather than a process.​‌‌‌‌​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌​‌‌​​‍​‌‌​‌‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌

Why Zero Trust Matters Now

CISA added 245 vulnerabilities to its Known Exploited Vulnerabilities catalog in 2025 alone — a 20% increase — and 24 of those were linked to ransomware campaigns [1]. Attackers exploited a Microsoft Office PowerPoint flaw from 2009, a CVSS 10.0 RCE in HPE OneView, and critical injection flaws in Ivanti EPMM and Fortinet FortiClientEMS [2]. These aren't zero-days requiring nation-state resources. They're known bugs with published patches that organisations simply hadn't applied.

The Australian Cyber Security Centre's Essential Eight — application control, patch management, MFA, daily backups, and more — maps directly onto zero trust principles. Zero trust gives you the architecture to enforce the Essential Eight systematically instead of ticking boxes.​‌‌‌‌​‌​‍​

‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌​‌‌​​‍​‌‌​‌‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌

The Five Pillars: What They Actually Mean

1. Identity. Every user proves who they are before accessing anything. No shared accounts. No password-only logins. An identity provider (IdP) becomes your single source of truth for authentication and authorisation.

2. Device. Unmanaged laptops don't touch company resources. Enrolled devices meet baseline compliance — disk encryption, OS patching, endpoint protection — before they're trusted.

3. Network. There's no trusted internal network. Every connection is authenticated and encrypted. Microsegmentation limits blast radius when (not if) a device is compromised.

4. Application. Access to each SaaS app and internal tool is conditional on identity, device posture, and context. No one gets blanket access to everything.

5. Data. Classification, encryption at rest and in transit, and access logging. Data is the asset everything else protects.

Identity Provider: Choosing Your Foundation

Your IdP is the cornerstone. For 10–50 headcount in Australia:

Option Best For Cost (AUD, approx.)
Microsoft Entra ID P1 Microsoft 365 shops; needs Conditional Access $9/user/month
Okta Mixed environments; strong SSO catalog $8–15/user/month
Authentik (self-hosted) Budget-constrained; technical team Free (infrastructure costs)

Concrete advice: If you already run Microsoft 365 Business Premium, Entra ID P1 is included — use it. If you're a mixed Google/Microsoft shop, Okta simplifies SSO across both. Authentik is viable if you have a sysadmin comfortable with Docker and reverse proxies, but factor in the maintenance burden.

Required configuration on day one:

  • Federated SSO for all business applications
  • Conditional access policies blocking legacy authentication protocols
  • MFA enforced for every user — authenticator app or FIDO2 keys, not SMS

The 90-Day Staged Rollout

Weeks 1–2: Identity and Visibility

Do this first. Everything else depends on knowing who's accessing what.

  1. Deploy your chosen IdP. Enrol all users. Remove any shared or service accounts that lack individual attribution.
  2. Enable MFA across the board. Use number-matching push notifications or hardware keys — SMS is no longer acceptable per ACSC guidance.
  3. Inventory every application your business uses. You'll find shadow IT you didn't know existed. Record each app's authentication method.
  4. Connect all SaaS apps to the IdP via SAML or OIDC. Disable local logins where possible.

Config snippet — Entra ID Conditional Access:

  • Policy: Block legacy authentication (POP, IMAP, SMTP AUTH, ActiveSync clients)
  • Policy: Require MFA for all cloud apps, exclude emergency break-glass account
  • Policy: Block sign-in from non-compliant devices for sensitive apps (prepare for phase 2)

Weeks 3–6: Device Trust and Network Segmentation

  1. Enrol devices in Intune (Microsoft) or Jamf (macOS fleets). Set compliance policies: BitLocker/FileVault enabled, OS within 30 days of current, endpoint protection running.
  2. Deploy a zero-trust network. Two practical options for SMBs:
    • Tailscale: WireGuard-based mesh. Every device gets a stable IP. ACLs control which device can reach which service. Free tier covers small teams. Config is declarative — a single tailscale acl policy file defines your entire network access matrix.
    • Cloudflare Zero Trust (WARP + Access): Replaces your VPN. Users authenticate via your IdP before reaching internal applications. Tunnel-based — no open inbound ports.
  3. Kill the VPN. Traditional VPNs grant broad network access once authenticated — the opposite of zero trust. Replace with one of the above.
  4. Patch ruthlessly. Subscribe to the CISA KEV catalog RSS feed. Treat every KEV addition as a 48-hour patching SLA for internet-facing systems [3]. The Ivanti EPMM CVE-2026-1340 (CVSS 9.8, actively exploited) proved that MDM platforms are high-value targets — if you run one, it must be current.

Tailscale ACL example (principle of least privilege):

{
  "acls": [
    {"action": "accept", "src": ["group:finance"], "dst": ["tag:accounting:8080"]},
    {"action": "accept", "src": ["group:engineering"], "dst": ["tag:gitlab:443", "tag:ci:22"]},
    {"action": "deny", "src": ["*"], "dst": ["tag:database:*"]}
  ]
}

Weeks 7–12: Application Controls and Data Protection

  1. Conditional access enforcement. Tie application access to device compliance. Unenrolled personal device? Read-only web access only, no data download. Managed and compliant? Full access.
  2. Application allow-listing (Essential Eight mitigation strategy). On Windows, use Windows Defender Application Control via Intune. On macOS, use Jamf to enforce Gatekeeper and notarisation requirements.
  3. Data classification. Start simple: Public, Internal, Confidential, Restricted. Label SharePoint sites and Google Drive folders accordingly.
  4. Enable audit logging across all IdP-connected applications. Centralise logs — even a simple ELK stack or cloud SIEM on a retention tier gives you forensic capability.
  5. Test your incident response. Simulate a compromised device. Can you revoke its Tailscale node key, wipe it via Intune, and cut off all SaaS sessions in under 30 minutes? If not, document the gaps and fix them.

The Three Mistakes Most SMBs Make

Mistake 1: Buying MFA without an identity provider. Turning on MFA in each SaaS app individually creates a fragmented mess. Users get prompted inconsistently, admins can't enforce policy centrally, and when someone leaves you're hoping you remembered to disable all 12 app logins. An IdP solves this.

Mistake 2: Trusting the VPN as a security boundary. A VPN gives authenticated users broad network access. Once someone's in, lateral movement is trivial. The CISA KEV data shows that infrastructure management platforms (HPE OneView, Ivanti EPMM) are prime targets — if an attacker pivots through your VPN to reach them, it's game over. Zero trust networks authenticate every connection individually.

Mistake 3: Treating zero trust as a product. No vendor sells "zero trust in a box." It's an architecture — a set of principles you apply iteratively. Buying Cloudflare Zero Trust and calling it done without conditional access, device compliance, and data classification is security theatre. The 90-day plan above gets you to a defensible baseline. From there, it's continuous improvement.

FAQ

Do I need zero trust if I only use cloud SaaS apps? Yes. Your IdP, device compliance, and conditional access policies still apply. Cloud apps are accessible from anywhere — that's exactly why identity becomes your perimeter.

What's the minimum viable zero trust setup for a 10-person team? Entra ID (free tier if no conditional access needed, P1 if you want it), Tailscale for network mesh, and Intune for device compliance. Total cost: roughly $15–25 per user per month. Skip the enterprise SIEM — use built-in audit logs and Microsoft 365 Defender for endpoint protection.

How does this relate to the Australian Essential Eight? Zero trust is the architecture that enforces the Essential Eight. MFA maps to identity. Patch management maps to device compliance and the 48-hour KEV SLA. Application control maps to the application pillar. Daily backups and recovery testing map to data protection.

What if we can't afford a full-time security person? Outsource to an MSP that understands zero trust principles — not one that just deploys antivirus and calls it done. The staged approach above is designed for teams without dedicated security staff.

Conclusion

The threat landscape doesn't care about your company size. CISA's KEV catalog grew 20% in 2025, and the vulnerabilities being exploited — from 15-year-old Office flaws to CVSS 10.0 infrastructure RCEs — work against any organisation that hasn't adopted least-privilege access and continuous verification. Start with identity in weeks 1–2, layer device trust and network segmentation through week 6, then enforce application controls and data protection by day 90. It's not instant, but it's achievable and it's the right architecture.

Next step: Assess where your business sits today. Visit consult.lil.business for a free cybersecurity assessment tailored to Australian SMBs.

References

  1. RSI Security, "CISA KEV: Latest Vulnerabilities & Critical Infrastructure Risks," 2026. https://blog.rsisecurity.com/cisa-kev-latest-vulnerabilities-infrastructure-risk/
  2. SecurityOnline, "The CVE Watchtower: Weekly Threat Intelligence Briefing (April 6–12, 2026)," 2026. https://securityonline.info/vulnerability-digest-april-2026-ai-security-gaps/
  3. CISA, "Known Exploited Vulnerabilities Catalog," 2026. https://www.cisa.gov/known-exploited-vulnerabilities-catalog

TL;DR

  • There's a trick that lets bad actors hide dangerous commands inside normal-looking Windows shortcut files — and 11 government-backed hacking groups have been using it since 2017 [1].
  • Microsoft knows about it but won't fix it [2].
  • You can protect yourself by controlling what files enter your network and what they're allowed to do.

The Simple Explanation

Imagine your desktop shortcuts are labelled doors. You trust the labels and walk through without thinking. Now imagine someone taped a secret instruction to the back of a door — hidden behind pages of blank paper — saying "quietly unlock the back window" [1].

That's this vulnerability. Attackers create shortcut files (.lnk files) containing hidden commands padded with megabytes of invisible space. Windows only shows the normal label. When you double-click, it runs everything — including the secret part [1] [3].

Trend Micro found nearly 1,000 booby-trapped shortcuts used by hacking groups from North Korea, Russia, China, and Iran [5] [6]. Microsoft says it doesn't qualify for a fix [2].

What You Can Do About It

You don't need to wait for Microsoft. Add your own locks:

  1. Block .lnk files in email. Nobody outside your company needs to send you shortcut files [7].
  2. Use application controls. Only approved programs should run — like a guest list for your house [7] [8].
  3. Watch for oversized shortcut files. Normal shortcuts are a few KB; weaponized ones are megabytes [1].
  4. Use EDR software. It reads hidden commands Windows won't show you and stops them before they run [10].

FAQ

No — you must double-click it for the hidden command to run. Train your team to pause before opening unexpected files [3].

They consider it a display issue, not a security boundary break [2]. That's why layering your own defenses matters.

Big targets come first, but attackers reuse successful techniques on smaller ones. Building good habits now keeps you ahead [5] [10].

References

[1] Trend Micro Zero Day Initiative, "ZDI-CAN-25373: Windows .lnk File Zero-Day," Trend Micro, Mar. 2026.

[2] Microsoft Security Response Center, "MSRC Case Tracking," Microsoft, Mar. 2026.

[3] MITRE, "ATT&CK Technique T1204.002: User Execution: Malicious File," MITRE ATT&CK, 2025.

[4] CISA, "Known Exploited Vulnerabilities Catalog," CISA.gov, 2026.

[5] Trend Micro, "Water Hydra APT Group Exploits Windows Shortcut Vulnerability," Trend Micro Research, Mar. 2026.

[6] Mandiant, "APT Trends Report Q1 2026," Google Cloud Security, 2026.

[7] ASD Australian Signals Directorate, "Essential Eight Maturity Model," Australian Government, 2025.

[8] NIST, "NIST Cybersecurity Framework 2.0," NIST, 2024.

[9] Kaspersky, "APT Trends Report Q1 2026," Kaspersky Global Research, 2026.

[10] CrowdStrike, "2026 Global Threat Report," CrowdStrike, Feb. 2026.

Want help making sure your business has the right locks on every door — not just the ones your vendors choose to fix? Let's talk.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation