For years the mental model of SME security was a wall around a building. The firewall sat at the edge, the office network was “inside”, and inside was trusted. It was never quite true, but it was a useful picture, and a lot of products got sold on the strength of it.

A distributed workforce breaks the picture entirely. When your people work from homes, cafes, client sites and the occasional desk, there’s no inside left to be on. The thing that decides whether someone is “in” isn’t a network cable any more, it’s a successful login. That makes identity the real perimeter, and for most of the SMEs we assess, it’s the part of the estate with the least attention paid to it.

What “identity is the perimeter” actually means

It means the most important security decision your business makes, hundreds of times a day, is whether to believe a sign-in. Every time someone authenticates to email, to the file store, to a SaaS app, the system is answering one question: is this really them, on a device we trust, doing something normal? Get that answer right and most attacks stop at the door. Get it wrong and the attacker is inside as a legitimate user, which is the hardest kind to catch.

The uncomfortable part is how cheap it is to get wrong. A phished password, reused from a breached personal account, is all it takes if the login is guarded by nothing else. No firewall in the world helps, because the attacker isn’t breaking in, they’re signing in.

The controls that carry the weight

The good news is that the controls which matter most are mostly included in the licences SMEs already pay for. The work is switching them on properly and consistently, which is less glamorous than buying a new product and considerably more effective.

Multi-factor authentication, everywhere, no exceptions. MFA (a second proof beyond the password) is the single highest-value control in the building. The places it gets skipped are the dangerous ones: the director who finds it annoying, the shared mailbox, the legacy app that “doesn’t support it”. Those exceptions are precisely where attackers aim. The standard has to be everyone, every account.

Conditional access: the right person isn’t enough. Modern identity platforms let you require more than a correct password and code. You can insist the sign-in comes from a managed, compliant device, refuse logins from countries you never operate in, and step up the checks when something looks unusual. This is the layer that turns “they had the password” into “and it still didn’t work”.

Phishing-resistant factors where it counts. Not all MFA is equal. A code typed into a fake login page can be relayed by a determined attacker in real time. For the accounts that matter most, the move is toward factors that can’t be phished this way (passkeys and hardware keys, which are bound to the real site). For most SMEs this is a 2026 direction of travel rather than a finished job, and it’s worth starting at the top.

Visibility on the logins themselves. You can’t defend what you can’t see. Knowing which sign-ins succeeded, from where, and which were blocked, turns identity from a hope into something you can actually monitor. A weekly look at the unusual sign-ins catches things long before they become incidents.

Where SMEs trip

A few patterns recur in the assessments we do.

The half-covered MFA rollout, where 90% of staff are protected and the gaps are the high-value accounts, is more common than full no-coverage. It feels done and isn’t.

The personal-account bleed, where work happens in a personal Google or Microsoft account “just for this”, sits entirely outside the controls and nobody’s watching it.

And the forgotten federation, where an old SaaS tool authenticates on its own, separate from the central identity, so all the conditional access in the world doesn’t touch it. The fix is to bring every app that can be brought under the single sign-in, and to keep a register of the ones that can’t.

The shift in mindset

None of this requires an enterprise budget. It requires treating the login as the thing you defend, with the same seriousness the old model gave the front door of the office. For a team that’s never all in one place, that’s not a sophistication, it’s the baseline, and the gap between the SMEs who’ve made the shift and the ones who haven’t is the gap an attacker is counting on.

That’s our Security Solutions practice. We assess where your identity perimeter actually stands, close the MFA and conditional-access gaps, and set up the visibility to keep it honest.

The wall around the building was never the real defence, and now there isn’t even a building. The login is the perimeter. The only question is whether you’re treating it like one.

Not sure how well-defended your sign-ins really are? Drop us a note at info@jmopartners.co.uk. One of us will read it.

JMO|Partners · Enterprise IT, sized for SMEs.