If every device on your network can reach every other device, you don't have a network - you have a single point of failure waiting to become a catastrophe. Network segmentation is one of the most effective security controls available, and one of the most consistently skipped by small and mid-sized businesses.
What a Flat Network Looks Like
A flat network is one where all devices share the same network segment and can communicate with each other freely. Your workstations, servers, printers, IP cameras, HVAC controllers, and guest Wi-Fi are all reachable from one another with no restriction. This is the default configuration for most small business networks because it's the path of least resistance during setup.
It is also exactly what attackers rely on once they're inside.
Why Segmentation Matters for Ransomware
Ransomware doesn't detonate the moment it lands on a machine. Modern ransomware operators spend time inside a network first - mapping drives, identifying backup targets, escalating privileges, and spreading laterally to as many systems as possible before triggering the encryption. A flat network makes this trivially easy. An infected workstation can reach your domain controllers, your file servers, your backup appliance, and every other workstation on the network without any obstruction.
Segmentation contains the blast radius. If your workstations live on a VLAN that cannot initiate connections to your servers or backup infrastructure, a compromised endpoint cannot spread laterally to the systems that matter most.
How Segmentation Works
VLANs (Virtual Local Area Networks) divide a physical network into logical segments that are isolated from one another at layer 2. Traffic between VLANs must pass through a firewall or router, where access control rules determine what is and isn't permitted. This gives you granular control over which systems can talk to which other systems, and forces all inter-segment traffic through a point where it can be inspected.
A well-segmented SMB network typically includes separate segments for:
- Employee workstations
- Servers and domain infrastructure
- VoIP and communications systems
- IoT devices (cameras, HVAC, badge readers)
- Guest and visitor Wi-Fi
- Management interfaces (switches, firewalls, UPS)
The IoT blind spot: IP cameras, smart TVs, and HVAC controllers are consistently the least-patched devices on any network. They are also often the easiest to compromise. Putting them on an isolated segment - with no access to the rest of your environment - is a straightforward control that eliminates an entire category of lateral movement risk.
What You Need to Implement It
Proper segmentation requires a firewall that supports inter-VLAN routing with access control (any modern next-gen firewall from Palo Alto, Fortinet, or Meraki qualifies), and managed switches that support 802.1Q VLAN tagging. The infrastructure requirements are not expensive. The configuration requires someone who understands network architecture and can define the right access policies without breaking legitimate communication paths.
If you don't know whether your network is segmented, it almost certainly isn't. SummitCore's network assessments document your current architecture and identify exactly where the gaps are. Schedule a conversation to find out where you stand.