Most of the companies I audit share one common infrastructure trait: the network is flat. A printer, the accountant’s laptop, a file server, a camera and a VoIP phone sit in the same subnet and can all see one another. It is convenient to configure and catastrophic in its effects when a break-in happens. Network segmentation is the division of that one big room into separate rooms with doors you have to open deliberately.

Why a flat network is a problem

When all devices sit in one zone, taking over one of them means access to the rest. The attacker does not have to overcome further barriers, because there simply are none. This phenomenon is called lateral movement, and it is what turns a minor incident into paralysis of the whole company.

  • One weak point opens the whole. An infected employee laptop sees the file server and tries to encrypt network shares.
  • Devices that cannot be patched. Cameras, printers and industrial equipment often run for years on old software. In a flat network they become a gateway.
  • No control over who talks to whom. No one knows that the VoIP phone has no reason to connect to the accounting server, until malicious software does exactly that.

In several ransomware incidents I have handled, the extent of the damage could be attributed directly to the lack of segmentation. Malware landed on one workstation and then, across the flat network, reached backups and servers within a dozen or so minutes. Where there were separate zones, the losses ended at a single department.

What segmentation gives you

Segmentation will not stop every attack, but it drastically limits its reach. It is the difference between a fire in one room and burning down the whole building. The specific benefits are as follows.

  1. Limiting lateral movement. Taking over a device in one zone does not automatically grant access to the others.
  2. Protecting critical assets. Servers, backups and financial systems are kept in separate, tightly controlled zones.
  3. Isolating risky devices. Guest equipment, IoT and unsupported systems get their own zone with no access to company data.
  4. Easier oversight and compliance. A clear division makes it easier to meet GDPR requirements and the direction set by NIS2 compliance.

How to go about segmentation

Start with an inventory

You cannot divide something you do not know. The first step is a list of devices and services and an answer to the question of who really needs to talk to whom. It usually turns out that a printer does not need access to the domain server, and cameras need nothing beyond their own recorder.

Carve out logical zones

To start, a few sensible zones are enough, based on VLANs and rules on the router or firewall:

  • a user zone (laptops and workstations),
  • a zone for servers and critical data,
  • a zone for IoT devices and printers,
  • a guest zone with access to the internet only,
  • a zone for managing network equipment.

Set traffic rules

The default rule should be: block everything, allow only what is needed. Every permitted flow between zones is a deliberate decision, not a side effect of a flat network. We start with restrictive rules and open exactly those ports the company’s operation requires.

Microsegmentation, a step further

Classic segmentation divides the network into zones. Microsegmentation goes deeper and controls traffic down to the level of individual applications and servers, even within the same zone. It is a level worth aiming for in environments with sensitive data, though you do not have to deploy it from day one. A sensible order is first solid zones, then a gradual tightening of the rules where the risk is greatest.

Segmentation pairs excellently with a detection layer on devices. When the network is divided and, on top of that, EDR and XDR solutions are running, unusual connection attempts between zones become a clear signal that something bad is happening. Isolation alone limits the damage, while detection lets you react before the attacker finds a way around.

Segmentation and regulatory requirements

Increasingly, dividing the network stops being merely good practice and becomes an expectation of the regulator and the client. Auditors ask outright how the company limits the spread of an incident, and cyber insurers make the premium depend on it. Segmentation is one of the easiest controls to document: you have a diagram of zones, a set of rules and a justification for each of them. This fits well with a risk-based approach, in which you first identify critical assets and then surround them with the strongest barriers. Companies covered by the new obligations today treat segmentation as one of the first, cheap steps that measurably reduce the effects of a breach.

How much it costs

The good news is that segmentation in its basic scope rarely requires new hardware. In most companies the managed switches and firewall already support VLANs and flow rules, only no one uses them. The cost is mainly the time for an inventory, a zone design and configuration, not purchases. Only microsegmentation or a full separation of production environments tends to be an investment in additional tools. That is why it is worth starting with what you have and expanding the model gradually, at a pace matched to the real risk.

The most common mistakes

  • An allow-everything rule between zones. Segmentation then exists only on paper.
  • No zone for guests and IoT. These are most often the weakest devices in the company.
  • Forgotten administrative access. Management panels for switches and firewalls exposed to the user network.
  • Segmentation without documentation. After a year no one remembers why a given rule exists or whether it can be removed.

Segmentation is one of those investments that do not impress in a presentation but save the company on the day of an incident. If your network is still flat, a good starting point is a review of what connects to what today. We will gladly help design the zone division and rules that fit how your company really works.