If every device in your office - workstations, servers, printers, security cameras, guest phones, IoT devices - is on the same network, you have a flat network. And a flat network means that when one device is compromised, the attacker can see and potentially access everything else on that network. Your point-of-sale terminal can talk to your accounting server. A compromised security camera can reach your file shares. A guest's infected laptop can probe your domain controller.
Network segmentation fixes this by dividing your network into separate zones with controlled access between them. It's one of the most effective security controls available, and one of the most frequently skipped by small and mid-size businesses.
Why Flat Networks Are Dangerous
Here's a scenario we've seen play out: an employee connects a personal device to the office Wi-Fi. That device has malware on it. Because the network is flat, the malware can scan the entire network - it discovers the file server, the domain controller, the NAS, and the accounting application server. Within minutes, it's attempted to authenticate against all of them using stolen credentials harvested from the compromised device.
In a segmented network, that personal device would be on a guest or BYOD network segment that has no access to business-critical systems. The malware scans its network segment and finds nothing of value. The blast radius of the compromise is limited to devices on that same segment - which, by design, contains nothing sensitive.
This isn't theoretical. The majority of ransomware attacks involve lateral movement - the initial compromise is one device, and the attacker moves across the network to find high-value targets. Segmentation is the primary control that limits lateral movement.
Common Segmentation Zones
For most businesses, network segmentation doesn't need to be complex. A practical segmentation strategy typically includes:
- Business workstations - the network your employees' managed computers connect to. Has access to necessary business applications and file shares.
- Servers and infrastructure - your domain controllers, file servers, application servers, and backup systems. Only accessible from the workstation segment on specific ports.
- Guest and BYOD - for personal devices, visitor laptops, and anything not managed by your IT team. Internet access only, no access to business systems.
- IoT and OT devices - security cameras, printers, HVAC controllers, badge readers, smart TVs. These devices often have poor security and shouldn't be on the same network as your business systems.
- Payment processing - if you process credit cards, PCI-DSS requires that payment systems are on an isolated network segment. This isn't optional.
How It's Implemented
Network segmentation is implemented through VLANs (Virtual Local Area Networks) configured on your network switches and managed through your firewall. Modern cloud-managed networking platforms like Cisco Meraki make this straightforward - you define network segments in the dashboard, assign switch ports and Wi-Fi SSIDs to segments, and create firewall rules that control traffic between them.
The key is that segmentation is enforced at the network level, not the device level. It doesn't matter what a device does or how it's configured - if it's on the guest VLAN, it cannot reach the server VLAN. The network infrastructure enforces the boundary.
For businesses with multiple locations, each site should have consistent segmentation. A flat network at your satellite office that VPNs into your segmented headquarters defeats the purpose - the flat remote network becomes the attack path around your headquarters' segmentation.
The Compliance Connection
Network segmentation isn't just a best practice - it's a requirement under most compliance frameworks:
- PCI-DSS - explicitly requires network segmentation to isolate cardholder data environments
- HIPAA - requires access controls that effectively mandate segmentation for systems handling ePHI
- CMMC - requires network segmentation as part of its Controlled Unclassified Information (CUI) protection requirements
- Cyber insurance - increasingly asks about network segmentation on applications and may deny claims if a flat network contributed to the scope of a breach
Getting Started
If your network is currently flat, the good news is that segmentation can be implemented incrementally. You don't have to redesign everything at once. A practical approach starts with the highest-risk segments first - typically isolating IoT devices and creating a separate guest network - then progressively segmenting business systems.
The networking equipment you already have may support VLANs. If it doesn't, upgrading to managed switches and a proper firewall is a worthwhile investment that enables segmentation along with better visibility, monitoring, and control over your entire network.
A flat network is a single security failure away from a total compromise. Segmentation ensures that a breach in one area stays in one area - and that's often the difference between a minor incident and a catastrophic one.