Zero Trust in a 200-employee company
4 steps and a realistic budget
NIS2 is being implemented in Poland through an amendment to the UKSC. Indicatively 60-95k PLN/year on licenses - far less than the cost of a serious incident.
"Zero Trust is for enterprises." I hear this from companies with 100-300 employees, and it is a costly misconception. Ransomware and phishing-driven fraud regularly hit Polish SMEs, and the cost of a single serious incident - data recovery, downtime, legal handling - can dwarf an annual budget for basic security. In 2026, lack of access control is not just a security risk; it is a legal risk, especially in the context of NIS2 implementation.
Why Zero Trust is no longer optional - NIS2 and real incidents
The NIS2 directive is being implemented in Poland via an amendment to the act on the national cybersecurity system (UKSC) - it is worth verifying the exact status and effective dates of individual provisions against current law. The regulation covers companies in essential sectors (energy, transport, healthcare, digital infrastructure) and important sectors (manufacturing, distribution, logistics, digital services). Estimates of the number of entities covered in Poland talk about tens of thousands of companies - the exact number depends on the final shape of the rules.
Fines for breaches: up to EUR 10 million or 2% of global turnover for essential sectors, up to EUR 7 million or 1.4% of global turnover (whichever is higher) for important sectors. But before UKSC imposes a fine, a ransomware attack or data leak will do it instead.
Typical attack scenarios on SMEs: First - a ransomware attack via a stolen administrator password without MFA, leading to several days of production downtime and high costs of ransom and system rebuild. Second - phishing of a decision-maker's email account, resulting in an unauthorized transfer and a long case with the bank and lawyers. The common denominator of such incidents is the lack of MFA and weak access control - i.e., the very mechanisms that in most cases would have stopped the attack.
Zero Trust as a security model is based on "never trust, always verify". In practice, for a 200-employee company this means 4 concrete areas of action that can be rolled out gradually. The full list of NIS2 requirements for the IT manager (including access control and MFA) is described in our article NIS2 IT checklist - 40 tasks.
Step 1: MFA and identity management (AD360)
Multi-factor authentication for every account
ManageEngine AD360 - an integrated IAM (Identity and Access Management) platform with MFA, single sign-on, and user provisioning. Budget: 15-25k PLN/year for 200 employees.
What MFA delivers: Even if an employee's password is stolen (phishing, dark web), the attacker will not log in without a second factor (mobile app, SMS, hardware key). According to Microsoft, MFA blocks 99.9% of automated account attacks.
MFA rollout priorities
| Accounts / systems | Priority | Why |
|---|---|---|
| VPN and remote access | Critical - roll out in week 1 | The most common SME attack vector |
| IT administrator accounts | Critical - roll out in week 1 | Compromise gives access to everything |
| Email (M365/Gmail) | High - weeks 2-3 | Email phishing is the #1 vector |
| ERP, CRM, business systems | Medium - month 2 | Business-critical data |
| All other accounts | Normal - months 2-3 | Protection against lateral movement |
Self-service password reset (SSPR)
AD360 includes a self-service password reset function for employees - after MFA verification. Effect: the help desk handles noticeably fewer password-related tickets, because employees reset them on their own. The scale of the relief depends on how large a share of tickets had been password cases.
Step 2: Least Privilege - minimal permissions (AD Manager Plus)
Audit and reduce permissions to the necessary minimum
ManageEngine AD Manager Plus - managing Active Directory permissions, access reporting, and management delegation. Budget: 10-15k PLN/year for 200 employees.
Least Privilege is the rule: each user has exactly as much access as their work requires - no more. In most SMEs this rule has been broken for years: employees leave but their accounts live on; someone "temporarily" got access to the finance directory 3 years ago and nobody took it back; new employees get a copy of their predecessor's permissions "to save time". A permissions audit often goes hand in hand with a license audit. Details in our article software license audit - 8 traps.
Typical findings during a permissions audit
- Zombie accounts: in many SMEs, part of the Active Directory accounts belong to former employees and were never disabled. Each of them is a potential attack vector.
- Excessive permissions: employees often have access to far more resources (folders, systems) than their role requires - especially when permissions are copied from predecessors.
- Service accounts with high permissions: business applications often run on accounts with domain administrator rights - completely unnecessarily.
- AD groups without an owner: nobody knows who is responsible for managing a group and who should be in it.
What it looks like in practice: A typical Active Directory permissions audit for a company of this size usually takes 1-3 working days. The most common outcome is detecting and disabling accounts of former employees, cleaning up unneeded group memberships, and downgrading service accounts with unjustified admin rights. Tidying up permissions clearly reduces the attack surface and makes it easier to keep AD tidy afterwards.
Step 3: Privileged account control (PAM360)
Secure vault for admin and system passwords
ManageEngine PAM360 - Privileged Access Management: password vault, admin session recording, just-in-time access. Budget: 15-25k PLN/year for 200 employees.
Privileged accounts (IT admins, service accounts, database accounts) are "keys to the kingdom". If an attacker grabs one administrator account without restrictions, they have access to everything. PAM360 solves this in a few ways:
Key PAM360 features
- Password vault: Passwords to critical systems are stored in an encrypted vault. Technicians check out a password for a session and check it back in - the system rotates it automatically after each use.
- Session recording: Every admin session is recorded (video + keystroke). Who did what on which server and when - a full audit trail. Required by NIS2 for essential entities.
- Just-in-time access: Technicians do not have permanent admin rights - they request access for a defined time on a defined system. Access expires automatically.
- Anomaly detection: AI analyzes administrator behavior patterns and flags suspicious actions (login at 3:00 AM, mass data export).
Step 4: SIEM and threat detection (Log360)
Security command center - logs from every system
ManageEngine Log360 - SIEM (Security Information and Event Management) with threat analytics and event correlation. Budget: 20-30k PLN/year for 200 employees.
The first three steps protect access. The fourth step answers: what if something gets through anyway? SIEM collects logs from every system (Active Directory, firewall, ERP, servers, VPN), correlates them, and generates alerts when patterns indicate an attack.
What Log360 detects in practice
- Brute force: 50 failed logins to an account in 5 minutes - alert and a temporary account lock.
- Lateral movement: A user account logs into a server it has never accessed before - suspicious activity.
- Data exfiltration: An employee copies 10 GB of files to USB or sends a large external email - DLP breach.
- Insider threats: An employee who handed in notice suddenly downloads all customer data - insider threat alert.
NIS2 and reporting: UKSC requires reporting serious incidents to CERT Polska within 24 hours. Log360 generates incident reports ready to send to the regulator - which eliminates the chaos during a security event when "nobody knows what happened".
Total budget and deployment schedule
Annual Zero Trust cost for a 200-employee company
| Tool | Function | Annual cost | Deployment time |
|---|---|---|---|
| AD360 | MFA + IAM + SSO | 15,000 - 25,000 PLN | 2-3 weeks |
| AD Manager Plus | Least Privilege + AD audit | 10,000 - 15,000 PLN | 1-2 weeks |
| PAM360 | Privileged accounts + vault | 15,000 - 25,000 PLN | 2-3 weeks |
| Log360 | SIEM + threat detection | 20,000 - 30,000 PLN | 2-4 weeks |
| Implementation and configuration | Rotech Group services | 30,000 - 50,000 PLN one-time | 6-10 weeks total |
| TOTAL (licenses) | 60,000 - 95,000 PLN/year | 6-10 weeks | |
Deployment schedule - 10 weeks
- Weeks 1-2: AD audit and permissions inventory (AD Manager Plus), removal of zombie accounts
- Weeks 2-3: Priority MFA rollout (VPN, admins, email) in AD360
- Weeks 3-5: PAM360 configuration, migration of admin passwords to the vault
- Weeks 4-6: MFA rollout for all users (education and support)
- Weeks 6-10: Log360 deployment, correlation rule configuration, alerting tests
Questions and answers
Where to start with a Zero Trust deployment?
The priority is MFA - multi-factor authentication for all accounts (especially VPN and email). It delivers the biggest security effect for the lowest cost and the shortest deployment time - 2-3 weeks. The second step is an AD permissions audit - checking who has access to what and removing zombie accounts. Only after those two steps is it worth thinking about PAM and SIEM.
Does NIS2/UKSC require Zero Trust?
NIS2 (implemented in Poland through an amendment to UKSC) requires cybersecurity risk management, including access control, multi-factor authentication, and incident monitoring. Verify the exact effective dates of individual obligations against the current state of the act or with a lawyer. Zero Trust as a philosophy meets these requirements. NIS2 does not impose a specific technical architecture. Companies in essential sectors (energy, transport, healthcare, IT) are subject to rigorous requirements; important sectors face somewhat lighter standards.
How much does Zero Trust cost for a 200-employee company?
Indicative annual budget for ManageEngine licenses (prices may change, verify the current price list): AD360 15-25k PLN, AD Manager Plus 10-15k PLN, PAM360 15-25k PLN, Log360 20-30k PLN. Licenses total: indicatively 60-95k PLN/year. One-time implementation cost: 30-50k PLN. For context: the costs of security incidents in Polish SMEs are significant. Industry reports (e.g., IBM Cost of a Data Breach) regularly estimate them in hundreds of thousands of PLN. Consult data relevant to your industry.
How to explain the Zero Trust investment to the board?
Use concrete numbers for your industry: "Deployment costs 75,000 PLN per year. A single ransomware incident costs Polish SMEs a significant amount. Industry reports estimate it at several hundred thousand PLN (check current data, e.g., the IBM report or CERT Polska). Even with a few-percent annual probability of an attack, the investment makes economic sense already in the first year." Add an example from your industry. That is a stronger argument than general statistics.
Check the security gaps in your company
In 60 minutes we will review your Active Directory environment, identify zombie accounts and excessive permissions, and tell you what is most urgent. You get a prioritized report - free of charge.
Book a free AD audit