Zero Trust Architecture for SMEs: New study reveals adoption path

Small and medium enterprises (SMEs) face growing cyber threats but often lack resources to adopt Zero Trust Architecture (ZTA). A new pilot study from Yu Deng and Anushia Inthiran, accepted at PACIS 2026, surveyed 64 IT and security professionals across Asia-Pacific SMEs to identify drivers and barriers for ZTA adoption. Results show that familiarity with ZTA principles and the need for cloud-computing capabilities are the strongest positive correlates with perceived necessity. Interestingly, accumulated barriers showed only a weak negative association, suggesting that awareness and operational needs outweigh perceived difficulties.

The study identifies identity and access management (IAM) complexity and scalability as the main implementation hurdles. Based on these findings, the authors propose a pragmatic three-stage adoption path: first, strengthen identity governance (e.g., multi-factor authentication, least-privilege access); second, segment high-value assets to limit lateral movement; third, introduce targeted monitoring aligned with operational capacity. This staged approach offers a realistic roadmap for resource-constrained SMEs, moving from theory to actionable steps without requiring full enterprise-scale investment.