I was at a security conference in Stockholm last autumn and decided to count how many times "zero trust" came up during the keynotes. I stopped counting at 40. That was before lunch.
The problem was not the number. It was that every speaker seemed to mean something different by it. One vendor meant network micro-segmentation. Another meant continuous authentication. A third meant "buy our product." One speaker appeared to genuinely believe zero trust was a firewall feature.
Zero trust has become one of those terms that means everything and nothing at the same time. It is on every vendor's website, in every analyst report, and in every CISO's strategy presentation. The meaning has been diluted beyond recognition.
But the core idea? The core idea is actually sound. And it matters more for mid-market companies than for the large enterprises where most of the zero trust marketing is aimed.
What zero trust actually means
Strip away the marketing and it comes down to one principle: do not automatically trust anything based on where it is.
Traditional security was perimeter-based. Inside the corporate network, you were trusted. Outside, you were not. The network boundary was the trust boundary. If you were on the domain, Active Directory said you were fine, and that was that.
This made sense when everyone worked from the office and all the applications ran on local servers behind the firewall. It makes much less sense when your employees work from home half the week, your applications are SaaS, and "the corporate network" is a VPN that half the team forgets to connect to. Your on-prem AD still handles authentication for some things, Entra ID handles the cloud side, and the perimeter is somewhere in between. Or nowhere, really.
Zero trust says: verify every request instead of trusting the network. Check who is asking. Check what device they are on. Check whether the request makes sense given the context. Do this every time, regardless of location.
That is the whole idea. Everything else is implementation detail.
What it looks like for a 200-person Nordic company
The enterprise version of zero trust involves network micro-segmentation, software-defined perimeters, continuous adaptive risk scoring, and a dedicated team to run it all. If you are a 200-person company in Malmö, you can safely ignore all of that.
Here is what practical zero trust looks like at your scale:
Identity is your perimeter. Most of your applications are cloud-based: Microsoft 365, various SaaS tools. The identity layer in Entra ID is where you make trust decisions. Conditional access policies are your zero trust implementation. "Require MFA for all users" is a zero trust policy. "Block sign-ins from countries where you have no employees" is a zero trust policy. "Require a compliant device for accessing sensitive applications" is a zero trust policy.
Least privilege access. People should have access to what they need for their job. Nothing more. This sounds obvious, but almost nobody does it well. Most companies give too much access because it is easier than being precise. Zero trust says: start with no access and add what is needed, rather than starting broad and hoping nobody misuses it.
No permanent admin access. If someone needs admin rights, they should activate them for a specific time window, do the work, and let them expire. Entra ID P2's Privileged Identity Management does this. It is one of the most useful security practices you can adopt, and it takes an afternoon to configure.
Assume things will go wrong. Instead of only asking "how do I prevent a breach," also ask "when something happens, how do I limit the damage?" If an account gets compromised, how far can the attacker get? If the answer is "they can access everything that user has access to, which is a lot because we never cleaned up their permissions," that is a problem zero trust thinking would have caught.
Why this matters more for smaller companies
Large enterprises have security operations centres and threat detection tools that can spot suspicious activity quickly. A compromised account at a large company might be detected within hours.
A compromised account at a 200-person company with a two-person IT team? That might go unnoticed for weeks. I have seen cases where it took months.
Zero trust principles reduce the damage a compromised account can cause. Not by preventing the compromise itself — that is a different problem — but by limiting what the compromised account can reach.
Least privilege means the attacker only gets what the user had. No permanent admin means the attacker does not stumble into global admin rights. Conditional access means the attacker might be blocked entirely if they are signing in from an unusual location or device.
These are not expensive or complicated changes. They are configuration in tools you likely already have.
The vendor trap
Be sceptical of anyone who claims to sell you "zero trust." It is not something you purchase. It is an approach you adopt gradually, using the tools and policies available to you.
Some products help you implement zero trust principles more effectively. Fine. But if a vendor tells you that buying their product makes you "zero trust compliant," they are selling you a label, not a capability.
It is not a product you buy. It is a direction you move in. Start with identity. Start with conditional access, least privilege, and time-limited admin rights. You will be further along than most companies twice your size.