Network Segmentation: Why Keeping Systems Separate Matters

When One Breach Becomes Many

Imagine a ship with no internal walls. One breach in the hull and the entire vessel fills with water. Now imagine a ship divided into sealed compartments. A breach in one compartment floods only that section — the rest of the ship remains intact, giving the crew time to respond.

This is the principle behind network segmentation. Instead of treating your entire business network as one open space where every device can communicate freely with every other, you divide it into separate sections. If an attacker — or a piece of malware — gets into one section, they can't automatically access everything else.

For Australian small businesses, this might sound like an enterprise IT concept. But the basic principles can be applied at any scale, and the guest WiFi network you probably already have is a simple form of network segmentation you may not have recognised as such.

Why a Flat Network Is Risky

Most small business networks are "flat" — meaning all devices are on the same network and can communicate with each other freely. Your accounting computer, the staff smartphones, the point-of-sale terminal, the office printer, and the visitor WiFi all share the same network space.

This creates a problem: if any one of those devices is compromised, an attacker can potentially reach all the others. A piece of malware that gets onto a staff member's laptop can scan the network, find your accounting server, and spread to it. A compromised IoT device (a smart TV, a WiFi thermostat, a network-connected camera) can be used as a launching point to attack more sensitive systems.

Network segmentation limits this "lateral movement" — the ability of an attacker to move freely across your network after gaining initial access.

Simple Segmentation Any Small Business Can Implement

Full network segmentation at an enterprise level involves sophisticated firewall rules and multiple VLANs (Virtual Local Area Networks) configured by network engineers. But there are simpler steps that give you meaningful protection:

Guest WiFi network

If your router supports it (most modern ones do), set up a separate guest WiFi network for visitors, customers, and personal devices. Devices on the guest network can access the internet but cannot see or communicate with devices on your main business network. This is the most accessible form of segmentation for small businesses and should be a baseline standard.

Separate IoT devices

Smart TVs, WiFi-enabled printers, security cameras, and other Internet of Things (IoT) devices often have poor security track records. They receive infrequent updates, may have default or hardcoded passwords, and are commonly targeted by attackers. Putting these devices on a separate network — the guest network is fine if you don't have a dedicated IoT VLAN — means that if one is compromised, it can't reach your business computers and data.

Separate payment systems

If your business processes card payments, your point-of-sale (POS) system should ideally be on its own network segment, completely isolated from general business systems. This is actually a requirement under the Payment Card Industry Data Security Standard (PCI DSS) for businesses that handle card payments. Even if you're not formally required to comply, isolating payment systems is excellent practice.

VLANs: The Next Step Up

If you're working with a managed switch and a business-grade router, you can implement proper VLANs. A VLAN (Virtual Local Area Network) creates logically separate networks on the same physical hardware. You might have one VLAN for general staff devices, one for servers, one for IoT devices, and one for guest access.

Traffic between VLANs is controlled by firewall rules — you can specify exactly which types of communication are allowed between segments and block everything else. For example, you might allow staff devices to access the server VLAN (to reach file servers), but not allow any device to communicate with the payment system VLAN except the POS terminal itself.

Implementing VLANs typically requires the help of an IT professional or managed service provider, but the investment is worthwhile for businesses with multiple systems handling sensitive data.

Segmentation and the Essential Eight

The Australian Signals Directorate's Essential Eight framework includes "restrict administrative privileges" and "network segmentation" as key controls for limiting the impact of a security incident. Particularly for businesses at higher maturity levels of the Essential Eight, proper network segmentation is an important component of demonstrating a robust security posture.

Under Australia's Cyber Security Act 2024, larger businesses and critical infrastructure operators face increasing obligations around security controls. While smaller businesses aren't subject to the same formal requirements, the frameworks developed for larger organisations provide a useful benchmark for what good security looks like.

Practical Steps to Get Started

1. Audit your current network — list all devices connected to your business network
2. Enable guest WiFi if you haven't already, and move personal devices and IoT devices onto it
3. Identify your most sensitive systems — what data or systems would cause the most damage if compromised?
4. Talk to an IT provider about whether VLAN segmentation makes sense for your business size and complexity
5. Review firewall rules to ensure traffic between network segments is appropriately restricted

Key Takeaways

• A flat network allows attackers to move freely between devices once they've gained a foothold — segmentation limits this
• A separate guest WiFi network is the simplest and most accessible form of network segmentation
• IoT devices should be isolated from business systems — put them on the guest or a dedicated IoT network
• Payment systems should be separated from general business networks, especially if you handle card payments
• For more complex environments, VLANs managed with firewall rules provide granular control over network traffic

Network segmentation is one of several network security areas assessed by the free tool at flagged.com.au. Take the assessment today to understand where your business network may be leaving you exposed.