Network Segmentation: The Security Upgrade Most SMBs Skip

What Is a Flat Network — and Why Is It a Problem?

Most small businesses have what's called a flat network: every device — staff laptops, the receptionist's desktop, the guest WiFi, the IP cameras, the smart printer, the POS terminal — is on the same network and can see every other device.

This is the networking equivalent of leaving every internal door in your office unlocked. If someone gets through the front door (your perimeter firewall), or if a device on your network is already compromised (an IoT camera with a 5-year-old firmware), they have a direct path to everything.

The CDK Global ransomware attack that shut down 15,000 dealerships in 2024 spread largely because dealership networks were flat — one compromised DMS vendor connection reached across the entire network. Segmentation wouldn't have prevented the initial intrusion, but it would have contained the blast radius significantly.

What Network Segmentation Actually Means

Network segmentation divides your network into separate zones (called VLANs — Virtual Local Area Networks) with firewall rules controlling what traffic can flow between them. Devices in one segment cannot communicate with devices in another unless explicitly permitted.

It doesn't require separate physical cables for each zone. A modern managed switch and a capable router handle this in software — which means it's a configuration project, not a hardware project, for most SMBs.

The Six Network Segments Most SMBs Need

Why IoT Devices Deserve Their Own Segment

IP-connected cameras, smart TVs, HVAC controllers, and printers are among the worst-maintained devices on any network. They typically ship with default credentials, receive firmware updates infrequently (or never), and run embedded operating systems that vendors abandon after a few years.

These devices are actively targeted. Putting them on their own segment — one with no path to your file server, accounting software, or customer database — means that a compromised camera is an isolated problem rather than a network-wide one.

How to Implement Network Segmentation

Equipment That Supports Segmentation

Standard consumer routers (the box your ISP gave you, or a consumer Netgear or TP-Link) typically cannot support proper VLAN-based segmentation. You'll need:

• A managed switch (Ubiquiti, Cisco Meraki, Netgear ProSAFE, Aruba) — $100–$500 for SMB scale
• A router/firewall capable of VLAN routing (Ubiquiti UniFi Dream Machine, Fortinet FortiGate, pfSense/OPNsense) — $200–$800
• Wireless access points that support multiple SSIDs mapped to different VLANs

If you already have business-grade networking equipment (Ubiquiti, Cisco Meraki, Fortinet), segmentation is often a configuration exercise that costs $0 in hardware. If you're on consumer gear, the hardware investment is typically $500–$1,500 for a small office — and it pays for itself in risk reduction.

Segmentation and Zero Trust

Network segmentation is the network layer of a Zero Trust architecture — the idea that trust is never assumed, always verified, and always scoped as narrowly as possible. Segmentation applies this to network traffic: devices are never trusted by virtue of being on your network. They're permitted only the access they specifically need. This is the most practical Zero Trust implementation step for most SMBs.

Related reading: Zero Trust Security for Small Businesses: What It Actually Means, Third-Party Risk: Why Your Vendors Could Be Your Biggest Security Blind Spot, What Is EDR and Why Your Antivirus Isn't Enough Anymore.