28. May 2026 | Print article | |

Network Segmentation in SMEs: Where to Start

8 min. read

In most mid-market networks, an attacker who gets in can go almost anywhere. Printers, servers, accounting, production – everything hangs on the same flat network. That’s exactly what makes ransomware so effective: a single compromised machine is enough to spread to everything else. Network segmentation flips this logic. It limits which systems a compromised machine can reach, stripping attackers of their reach inside the internal network.

Key Takeaways

  • The flat network is the amplifier. Without separation, a single infected machine quickly becomes a total outage. Most successful attacks live off lateral movement through the network.
  • Segments contain the damage. Even a rough split into a few zones significantly shrinks the blast radius of an attack. Microsegmentation takes the principle all the way down to individual systems.
  • Start where the damage would be greatest. Mid-market companies don’t need to segment everything at once. Starting with the most critical areas delivers the biggest impact for the least effort.

Related:Zero Trust at the Energy Provider  /  PAM Without an Enterprise Budget

What is network segmentation? Network segmentation is the division of a network into multiple isolated sections, with traffic controlled between them. Instead of a single open network, distinct zones emerge – for office, servers, production, or guests, for example. A threat inside one section cannot move freely into the others, because rules and checkpoints stand in between.

Why flat networks accelerate ransomware

A flat network is convenient. Everything finds everything, nothing needs to be configured, new devices just work. That same convenience is its fatal weakness. When every machine can reach every other, so can the malware that has taken one of them over. The first infected workstation becomes a launchpad for the entire network.

This lateral movement is no edge case – it is the standard pattern of successful attacks. Initial access via a phishing email or an unpatched vulnerability is only the beginning. The real damage happens when the attacker works outward from there toward the valuable targets: the file server, the backup system, the domain controller.

60 Percent
of successful attacks exploit lateral movement through the network, according to an industry study – precisely what segmentation prevents.
Source: Illumio, Lateral Movement Study 2025

A well-documented case study involves an attack that spread years ago across a flat corporate network, causing damage in the triple-digit million range because there were no internal barriers. In mid-market companies the same mechanism plays out on a smaller scale – but it often hits production, accounting, and recovery operations directly. The total damage therefore depends not just on the initial point of entry, but on how far the attacker can get from there.

3 Levels That Make Networks Resilient

Segmentation typically starts with a few zones and can extend all the way to control over individual systems. For those just getting started, what matters most is that critical areas can no longer communicate with each other unchecked.

Level Principle Limitation
VLAN Zones broad separation by area everything within a zone remains open
Firewall Between Zones rules govern the transition only as good as the rule maintenance
Microsegmentation per-system rules, identity-based more complex to set up

Classic zone separation via VLANs is the pragmatic entry point, carving out the obvious boundaries: guest Wi-Fi away from the internal network, production away from office IT, servers in their own segment. The second part – often missing – is just as important: a zone alone stops nothing if traffic between zones flows unfiltered. Only a firewall with clearly defined rules in between turns separated areas into real barriers. Microsegmentation goes further still, enforcing rules between individual systems regardless of their location in the network. It is the most powerful tool against lateral movement, but also the most demanding to implement.

Where Mid-Sized Companies Can Start Without Getting Lost

The most common mistake is trying to segment everything at once – and ending up not starting at all. A smarter approach is to ask where a breach would be most costly, and draw the first boundary exactly there.

Three separations deliver the first measurable impact in many mid-sized networks. First, strictly isolate guest and Wi-Fi networks from the internal network – external devices have no place in the same zone as accounting. Second, separate production systems and machine controls from office IT, since these systems are often old, unpatched, and particularly vulnerable. Third, place critical servers – above all backup and administration systems – in their own tightly controlled segment. These three separations alone significantly reduce the paths an attack can use to spread laterally.

What segmentation achieves – and when it becomes false security

A separation on paper does not protect. Whether segmentation actually works or merely creates a sense of security comes down to implementation. The following patterns tell the two apart.

False Security

  • Zones defined, but traffic between them flows unfiltered
  • A single rule that permits everything, because proper separation was too much work
  • Legacy systems acting as a bridge that reconnects two zones anyway
  • Rules set once and never reviewed again

Real Separation

  • Filtered transitions between zones, blocked by default
  • Only the connections that are genuinely necessary are explicitly permitted
  • Critical servers and backups isolated in their own zone
  • Rules documented and reviewed on a regular basis

The guiding principle is explicit permission: between zones, everything is denied by default, and only the necessary connections are selectively allowed. That is more work than a single rule that lets everything through – but it is the difference between a partition and a door that is always open. Network segmentation does not prevent an attack. It ensures that an incident does not become a total loss, and in an emergency that distinction is what matters most.

Frequently Asked Questions

Is a VLAN enough for security?

A VLAN separates areas logically, but on its own it does not stop a threat if traffic between VLANs flows unfiltered. Within a VLAN, everything remains reachable. Real security only emerges when a firewall with clear rules sits between the zones and permits only the necessary connections. The VLAN is the boundary; the filter rule is the protection.

What is the difference between segmentation and micro-segmentation?

Traditional segmentation divides the network into a few broad zones – office, servers, and production, for example. Micro-segmentation goes further, applying rules between individual systems or workloads, often identity-based and independent of physical location on the network. It limits lateral movement most effectively, but is more complex to set up and maintain.

Where should a mid-sized company segment first?

At the three points with the greatest potential for damage: separate the guest and Wi-Fi network from the internal network, isolate production and machine control systems from office IT, and place critical servers and backups in their own zone. These three boundaries contain the bulk of realistic damage without requiring a full network rebuild all at once.

Doesn’t segmentation make the network too complicated?

It does increase maintenance overhead – that is the trade-off. But the complexity stays manageable if you start with a small number of clearly defined zones and only open the connections that are truly needed. The effort is nowhere near proportional to the damage caused by an incident that spreads unchecked. What matters is documenting the rules so they remain transparent and easy to maintain.

Does segmentation help against ransomware?

Yes – and at the most critical point. Ransomware relies on spreading after the initial infection and encrypting as many systems as possible. A clean network separation confines that spread to a single zone instead of letting it tear through the entire network. Combined with isolated, protected backups, it is one of the most effective measures against a total outage.

Editor’s Reading Tips

More from the MBF Media Network

cloudmagazin

Managing Kubernetes Secrets the right way

digital-chiefs

Why the CISO shouldn’t shoulder the compliance burden alone

mybusinessfuture

Make or buy AI: build it yourself or buy it in

Image source: Cover illustration by the SecurityToday editorial team

Alec Chizhik

About the author: Alec Chizhik

More articles by

Also available in

FrançaisEspañolDeutsch
A magazine by Evernine Media GmbH