Your Flat Network Is a Ransomware Highway: 10 Network Segmentation Best Practices Every Australian Business Needs

Here is a number that should concentrate the mind of every Australian IT manager: according to CrowdStrike’s 2026 Global Threat Report, attackers who gain initial access to a network can achieve full lateral movement within 72 minutes. That is 72 minutes from one compromised laptop to every server, every database, every backup, and every domain controller in a flat, unsegmented network.

The majority of Australian business networks, particularly SMBs, are flat. Every device can reach every other device. Finance systems share the same network segment as reception desks. Servers are on the same VLAN as guest Wi-Fi. IoT devices, printers, door locks, HVAC controllers, communicate freely with domain controllers. This architecture was designed for convenience. In 2026, it is a ransomware attack’s best feature

Network segmentation is the architectural control that takes that 72-minute window and makes it irrelevant, because even if an attacker compromises one device, they cannot reach anything else without crossing a controlled, monitored boundary that your security controls are watching. Over 70% of successful breaches now involve lateral movement (Verizon DBIR 2025). Segmentation is what stops lateral movement from becoming a total environment compromise.

This guide covers 10 network segmentation best practices specifically applicable to Australian businesses in 2026, from the fundamentals of VLANs and firewall zones to microsegmentation and zero trust network access. Whether you are designing a segmented network from scratch or hardening an existing environment, this guide gives you the architecture, tools, and practical steps to get it right. For immediate implementation support, explore our managed cybersecurity services or our IT infrastructure optimisation services.

What Is Network Segmentation, And Why Does Every Business Need It?

Network segmentation is the practice of dividing a computer network into smaller, isolated subnetworks, called segments or zones, with controlled access between them. Each segment operates with its own security policies, access controls, and monitoring, so that a compromise in one segment cannot freely spread to others.

Think of it like the watertight compartments in a ship’s hull. If one compartment floods, the others remain intact, the ship doesn’t sink. In a flat, unsegmented network, a single breach can flood the entire environment. With proper segmentation, a breach in the guest Wi-Fi segment cannot reach your financial systems. A compromised IoT printer cannot access your domain controllers. Ransomware that encrypts one workstation cannot propagate to your backup servers.

The Flat Network Problem

A flat network is one where all devices are connected on the same network segment with no internal boundaries. Traffic flows freely between workstations, servers, printers, IoT devices, and management systems. From an attacker’s perspective, a flat network is the ideal environment: once inside, everything is reachable. No additional credentials, no additional barriers, no monitoring at internal boundaries.

This is precisely the design that ransomware operators exploit to maximise damage. Ransomware doesn’t just encrypt the device it lands on, it scans the network for accessible file shares, database servers, and backup systems, then encrypts everything it can reach before the ransom note appears. In a flat network, that scan finds everything. In a segmented network, it finds only what its starting point is permitted to access.

Network Segmentation vs Microsegmentation: What Is the Difference?

Understanding both terms is important because they represent different levels of granularity in the same security discipline.

For most Australian SMBs, traditional network segmentation using VLANs and firewall rules is the right starting point, it is practical, achievable, and delivers significant security uplift over a flat network. Microsegmentation is the next step for organisations with cloud workloads, hybrid environments, or specific high-value asset protection requirements. Both are explored in this guide.

10 Network Segmentation Best Practices for Australian Businesses in 2026

Best Practice 1: Map Your Network Before You Segment It

You cannot segment what you cannot see. The foundational step in any network segmentation project is a complete network discovery and asset inventory, understanding every device, workload, and traffic flow in your environment before drawing any boundaries.

Attempting to implement segmentation without a complete network map leads to two equally bad outcomes: over-segmentation that breaks legitimate business applications, or under-segmentation that leaves critical assets in insufficiently protected zones.

Your network map must include:

• Every device on the network: workstations, servers, laptops, mobile devices, printers, IoT devices, network equipment, CCTV systems, HVAC controllers, access control systems
• Every traffic flow: which devices communicate with which other devices, on which ports and protocols, and why. This is the baseline that segmentation policies are built around
• Data classifications: which systems hold or process sensitive data, personal information, financial data, intellectual property, health records
• Dependencies: which applications depend on which servers, which users need access to which systems, which third-party connections exist

Network discovery tools, including Nmap, Lansweeper, Microsoft Defender for Endpoint’s device inventory, and purpose-built asset management platforms, automate much of this work. The output is a network map that becomes the foundation for your segmentation design. This process also frequently uncovers shadow IT, unauthorised devices and services that nobody knew were on the network, many of which represent immediate security risks.

Best Practice 2: Classify Assets by Risk and Sensitivity

After mapping, classify every asset according to its security sensitivity and business criticality. This classification drives your segmentation design, assets with similar sensitivity and trust levels belong together; assets with different trust levels must be separated.

A practical four-tier classification for Australian SMBs:

The segmentation design principle is simple: devices in lower tiers should never have uncontrolled access to devices in higher tiers. A guest Wi-Fi user (Tier 4) should never be able to reach a domain controller (Tier 1). A printer (Tier 3) should never initiate connections to a financial database (Tier 1).

Best Practice 3: Implement VLANs to Create Logical Network Zones

VLANs, Virtual Local Area Networks, are the foundational technical mechanism for network segmentation in most Australian business environments. A VLAN groups devices into a logical broadcast domain, independent of physical location, allowing you to separate different types of traffic and restrict communication between groups.

A practical VLAN structure for a typical Australian SMB:

VLANs alone are not sufficient, they must be combined with inter-VLAN firewall rules that define what traffic is permitted between zones. Without firewall rules, VLAN membership prevents accidental cross-VLAN traffic but does not prevent deliberate attacker traversal. Every boundary between VLANs must have an explicit allow/deny policy.

Best Practice 4: Use Firewalls as Internal Boundaries, Not Just Perimeter Guards

Most Australian SMBs have a firewall at the internet boundary, the perimeter. Very few have firewalls between internal network segments. This is the fundamental gap that allows lateral movement: once an attacker breaches the perimeter, they are inside the trusted network and face no further controls.

Internal firewalls, also called east-west firewalls or inter-segment firewalls, enforce the traffic policies between your VLANs. They inspect and control traffic flowing between network zones, enforcing your segmentation policies at the packet level.

Key internal firewall practices:

• Default deny between segments: Traffic between VLANs is blocked by default, only explicitly permitted traffic flows are allowed. This is the opposite of the default in most SMB environments, where all traffic is permitted until explicitly blocked
• Least privilege traffic rules: Only the specific ports and protocols required for legitimate business functions are permitted between segments. No broad ‘allow all’ rules between VLANs
• Log all inter-segment traffic: Every connection crossing a segment boundary should be logged and available for analysis. Anomalous inter-segment traffic is often the first detectable sign of lateral movement
• Separate management plane: The network management interfaces, firewall admin consoles, switch management, server management, should be accessible only from the dedicated management VLAN, not from standard user workstations

For Australian SMBs, next-generation firewalls (NGFWs) from vendors like Fortinet, Palo Alto, Cisco Meraki, or Sophos provide both perimeter and internal segmentation capability within a single platform, making the deployment and management of inter-VLAN policies practical at SMB scale.

Best Practice 5: Isolate IoT and OT Devices on a Dedicated Segment

IoT devices are among the most exploited attack vectors in modern Australian networks, and among the most frequently left on the same VLAN as business systems. The problem is structural: IoT devices typically cannot run endpoint security agents, cannot receive regular patching, and often run outdated firmware with known vulnerabilities. They are, effectively, permanently vulnerable devices that must be assumed to be compromised at some point.

The response is strict isolation, put every IoT device on its own dedicated VLAN with firewall rules that permit only the specific outbound connections required for the device’s function, and deny everything else. A printer should be able to receive print jobs from authorised workstations and perhaps send scan data to a designated folder. It should not be able to initiate connections to domain controllers, file servers, or the internet at large.

IoT devices requiring dedicated segmentation in Australian business environments:

• Network printers and multifunction devices
• IP CCTV cameras and network video recorders
• Building management systems (HVAC, lighting, access control)
• Smart TVs and digital signage
• Point-of-sale terminals and EFTPOS systems
• Voice assistants and smart conference room equipment
• Industrial control systems and SCADA environments
• Medical devices in healthcare environments (a critical requirement under the ASD Essential Eight and increasingly under Australian healthcare cybersecurity guidance)

The IoT cybersecurity threat landscape has become increasingly complex as attackers specifically target IoT devices as pivot points into otherwise well-defended networks. Isolation is the most effective control because it eliminates the risk rather than trying to patch it away.

Best Practice 6: Apply the Principle of Least Privilege to Network Access

The principle of least privilege, giving every user, device, and application only the access they need to perform their specific function and nothing more, applies equally to network access as it does to identity and system permissions.

In practice, this means:

• Users access only the segments their role requires: A receptionist should have access to email, printing, and booking systems, not to the financial server or development environment
• Applications communicate only with their dependencies: A CRM application should be able to reach its database server and the email relay, not to propagate freely across the network
• Service accounts are scoped to their function: Backup agents, monitoring tools, and automation scripts should have network access only to the specific systems they need to reach, using dedicated accounts not shared with interactive users
• Third-party and vendor access is segmented: Remote vendors and contractors should access only the specific systems they manage, through dedicated jump servers or VPN tunnels that limit their network visibility

Combining network least privilege with identity-based access controls, particularly Microsoft Entra ID Conditional Access, creates a layered defence where even a compromised credential cannot reach sensitive systems because both the identity and the network path must be authorised.

Best Practice 7: Protect Your Backup Infrastructure as Its Own High-Security Zone

Ransomware operators know that backups are the primary tool for recovery without paying a ransom. Their standard playbook is to destroy or encrypt backups before launching the final ransomware payload, eliminating the victim’s ability to recover independently. If your backup systems are on the same network segment as your workstations, this is trivially achievable.

Your backup infrastructure must be treated as a Tier 1 Critical segment with the strictest isolation of any zone in your network:

• No inbound connections from user workstations: User devices should never be able to initiate connections to backup systems. Backup agents pull data from sources or receive data from a backup server, they do not accept connections from endpoints
• No direct internet access: Backup systems should not have direct outbound internet access, which attackers can use to exfiltrate backup keys or delete cloud backup targets
• Dedicated management credentials: Backup system admin accounts must be completely separate from domain admin accounts and from any accounts accessible from user workstations
• Immutable backup storage: Configure backup storage with immutability, write-once, read-many protection that prevents modification or deletion for a defined retention period even with admin credentials

Our detailed guide on cloud backup strategy and Microsoft 365 backup covers the technical implementation of isolated, immutable backup architectures for Australian businesses.

Best Practice 8: Segment Remote Access and Work-from-Home Traffic

Remote work has fundamentally changed the network perimeter for Australian businesses. When employees connect from home networks, potentially shared with insecure devices, using home routers with default passwords, the security of your network is only as good as your remote access controls

Best practices for segmenting remote access:

• VPN with split tunnelling controls: Configure VPN policies that route business traffic through protected tunnels and restrict which network segments remote users can access based on their role, not a single ‘connected = full access’ model
• Network Access Control (NAC): Verify device health before granting network access, check for EDR agent presence, patch compliance, and OS version before admitting devices to sensitive segments
• Dedicated remote access segment: Create a dedicated VLAN for remote user connections that sits behind additional inspection before accessing internal servers
• Zero Trust Network Access (ZTNA): Replace traditional VPN with application-specific access where users are granted access to specific applications rather than the whole network, users never see or touch network segments they don’t need
• Jump servers for administrative access: IT administrators connecting remotely should access management systems through a dedicated, hardened jump server in the management VLAN, not directly to production systems

Best Practice 9: Monitor Traffic Between Segments, Segmentation Without Visibility Is Incomplete

Network segmentation limits what attackers can reach, but without monitoring, you won’t know when someone is trying to reach something they shouldn’t. Segmentation without visibility creates a false sense of security: you have boundaries, but you have no early warning when those boundaries are being probed or crossed.

Every network segment boundary should generate logs and alerts:

• Log all inter-segment traffic: Every connection crossing a VLAN boundary should be logged with source, destination, port, protocol, and permit/deny outcome
• Alert on unusual lateral movement patterns: A workstation attempting to reach the management VLAN, or a printer attempting to initiate connections to a server, should generate an immediate alert
• Monitor for reconnaissance behaviour: Port scanning, ARP sweeps, and SMB enumeration across segment boundaries are strong indicators of an attacker performing lateral movement preparation
• Integrate with EDR telemetry: Combine network segmentation logs with endpoint telemetry from your EDR solution for a full picture of both network and process-level behaviour

For Australian SMBs, Microsoft Defender for Business combined with Microsoft Sentinel provides combined endpoint and network security visibility that integrates with segmentation logs to detect lateral movement attempts in near real-time. Our guide on responding to alerts in EDR explains how to build an effective alert response workflow.

Best Practice 10: Test, Audit, and Maintain Segmentation Regularly

Network segmentation is not a set-and-forget control. Environments change: new devices are added, applications change their traffic patterns, VLANs are modified for operational reasons, and firewall rules accumulate over time until the original segmentation intent is obscured by policy sprawl. Without regular testing and auditing, you may believe you are segmented when in practice your boundaries are full of holes.

Ongoing segmentation maintenance must include:

• Annual segmentation audit: Review all VLAN assignments, firewall rules, and inter-segment policies against your current network map and risk classification. Remove rules that no longer serve a purpose, accumulated permissive rules are a primary source of segmentation degradation
• Penetration testing: Commission annual or biannual penetration testing that specifically validates segmentation boundaries. A penetration tester attempting to move laterally from a compromised workstation should encounter controlled, monitored boundaries, verify this is actually the case
• Change management process: Every change to the network, new device, new application, new VLAN, new firewall rule, must go through a documented change management process that assesses segmentation impact before implementation
• New device onboarding: Define a process for classifying and assigning new devices to appropriate segments before they connect to the network. ‘Plug it in wherever there’s a port’ is how IoT devices end up on server VLANs
• Segmentation testing tools: Use purpose-built tools to verify that segmentation policies are working as intended, testing that traffic that should be blocked is actually blocked, not just that the rules say it should be

Our vulnerability scanning services and penetration testing include segmentation validation as standard components, testing whether the boundaries you believe exist actually hold under simulated attack conditions.

Network Segmentation and Australian Compliance Frameworks

For Australian businesses, network segmentation is not just a security best practice, it is increasingly a compliance requirement referenced in multiple frameworks relevant to the local market.

For businesses subject to cyber insurance requirements, having documented, tested network segmentation with backup isolation is a significant underwriting positive, reducing both the likelihood of a successful claim and the cost of any incident that does occur.

�� Real-World Case Study: How Network Segmentation Contained a Live Ransomware Attack at a Sydney Manufacturing Business

The Background

A 65-person Western Sydney manufacturing and distribution business had engaged CodeHyper six months before this incident to implement a network segmentation project. The project was 60% complete at the time of the attack, the production and financial system VLANs had been implemented and firewall rules configured, but three workstation VLANs in the warehouse and logistics areas were still on the original flat network pending a scheduled cutover the following month.

The Attack

At 2:14 PM on a Tuesday, a logistics coordinator received a phishing email disguised as a DHL delivery notification. The email contained a malicious macro-enabled document. Despite macro controls being in place for office workstations, the warehouse workstations were still on the legacy configuration, macros were enabled by default. The coordinator opened the document. A Qakbot loader executed, establishing command-and-control communications and beginning network reconnaissance.

Within 18 minutes, the attacker had deployed ransomware payload to the three warehouse workstations on the original flat network segment. The encryption process started on all three simultaneously.

Why the Damage Stopped There

At the boundary between the legacy flat segment and the newly implemented production VLAN, the firewall rules blocked the ransomware’s lateral movement attempts. The attack generated 847 blocked connection attempts in 22 minutes as the ransomware tried, and failed, to reach:

• Production system servers (VLAN 20): 312 blocked connection attempts to file shares and database ports
• Financial systems (VLAN 40): 198 blocked attempts to the accounting server and ERP system
• Backup infrastructure (VLAN 80): 223 blocked attempts to the Datto backup device, attempts that, if successful, would have destroyed the primary recovery mechanism
• Domain controllers (VLAN 20): 114 blocked privilege escalation attempts that would have given the attacker domain-wide access

Microsoft Defender for Business detected the ransomware execution on the three affected workstations within 4 minutes and automatically isolated them from the network. The EDR eradication process was initiated immediately. The isolation of the affected workstations meant that by the time the IT team was alerted, the attack had already been contained.

The Recovery and Aftermath

The three affected workstations were reimaged from clean baselines within 6 hours. Production systems, financial data, and all backups were completely intact, the attack never reached them. The business lost approximately half a day of productivity from three logistics workstations. There was no data exfiltration, no ransom payment, and no significant business disruption.

The forensic investigation confirmed that without the partial segmentation, the ransomware would almost certainly have reached the production servers and financial systems within the 72-minute window observed in similar attacks. The estimated cost of a full environment compromise, ransomware recovery, business interruption, data breach notification, and reputational damage, was assessed at $340,000–$480,000. The cost of the segmentation project that prevented it: $28,000.

The segmentation project was completed immediately following the incident. The warehouse workstations were moved to their own isolated VLAN within 48 hours, and macro controls were applied to all endpoint groups. Ironically, the incident served as the most convincing business case for completing a security project that had been paused due to scheduling constraints.

“The attack hit on a Tuesday afternoon. By Tuesday evening we were back to normal. I’ve spoken to other business owners who weren’t so lucky, they were down for weeks. The difference was about $28,000 worth of network segmentation. That’s the most obvious ROI calculation I’ve ever seen.” , Operations Director, Western Sydney Manufacturing Business

Network Segmentation Implementation Roadmap for Australian SMBs

Network segmentation is a staged project, not an overnight change. Rushing implementation risks breaking legitimate business applications and creating operational disruption. This phased roadmap is designed for Australian SMBs that need to move from a flat network to a properly segmented architecture without disrupting operations.

1. Phase 1, Discovery and Design (Weeks 1–4): Complete network discovery and asset inventory. Classify all assets using the four-tier model. Design your VLAN structure and document all required inter-segment traffic flows. This phase requires no changes to the live network
2. Phase 2, Foundation (Weeks 4–8): Configure VLANs on managed switches. Create inter-VLAN firewall rules in ‘monitor only’ mode (log but don’t block). Identify any unexpected traffic patterns that reveal undocumented dependencies. Address dependencies before enforcement
3. Phase 3, High-Priority Isolation (Weeks 6–12): Implement enforcement mode for the highest-risk boundaries first. Prioritise: (1) backup infrastructure isolation, (2) management plane separation, (3) IoT device isolation, (4) guest Wi-Fi separation. These four deliver the highest security return with the lowest application disruption risk
4. Phase 4, Full Segmentation (Weeks 10–20): Implement remaining VLAN assignments and firewall rules. Move department workstations to role-appropriate segments. Deploy remote access segmentation. Validate all business applications function correctly across segment boundaries
5. Phase 5, Monitoring and Testing (Ongoing): Deploy logging and alerting for inter-segment traffic. Conduct penetration test to validate segmentation effectiveness. Establish quarterly review cadence and change management process

5 Network Segmentation Mistakes That Undermine Security

Mistake 1: Using VLANs Without Inter-VLAN Firewall Rules

VLANs separate broadcast domains, they do not, by themselves, prevent deliberate lateral movement. Without inter-VLAN firewall rules enforcing access policies, an attacker can still route traffic between VLANs using standard techniques. VLANs are the foundation; firewall rules are the enforcement mechanism. One without the other is incomplete segmentation.

Mistake 2: Creating Segmentation but Leaving Management Interfaces Accessible

The single most exploited segmentation gap is exposed management interfaces, firewall admin consoles, switch management, server iDRAC/iLO, and virtualization management platforms accessible from user workstations. An attacker who compromises a workstation and can reach network management interfaces can potentially reconfigure or disable the segmentation itself. All management interfaces must be isolated in a dedicated management VLAN accessible only to authorised IT staff from authorised devices.

Mistake 3: Over-Segmenting Without Understanding Traffic Dependencies

Aggressive segmentation that doesn’t account for legitimate application dependencies breaks business processes. An ERP system that needs to reach an authentication server, a backup agent that needs to connect to its server, a monitoring tool that needs to reach every endpoint, all of these create legitimate cross-segment traffic that must be explicitly permitted. Audit traffic flows before implementing enforcement. Rushing to block everything creates a reactive game of whack-a-mole that erodes confidence in the project.

Mistake 4: Neglecting East-West Traffic Within Segments

Traditional segmentation addresses north-south traffic (between segments) but often ignores east-west traffic (within segments). Within the corporate workstation VLAN, every workstation can still reach every other workstation. Ransomware that lands on any workstation in that VLAN can still propagate to others in the same segment. Host-based firewalls and EDR isolation capabilities address this gap, EDR solutions like Microsoft Defender for Business can automatically isolate individual endpoints upon detection of suspicious behaviour, providing workstation-level containment within a VLAN.

Mistake 5: Implementing Segmentation Once and Never Reviewing It

Network environments change constantly, new applications, new devices, new staff, new remote access requirements, cloud migrations. Segmentation policies that were appropriate 18 months ago may no longer reflect the current environment. Segmentation degrades without maintenance. Firewall rules accumulate, VLAN assignments become stale, and the original security intent is gradually eroded. Quarterly reviews and annual penetration testing keep segmentation effective over time.

Your Network’s Security Is Only as Strong as Its Weakest Internal Boundary

Ransomware doesn’t respect flat networks, it exploits them. The businesses that contain breaches to a handful of devices and recover in hours are the businesses that built boundaries before the attacker arrived. The businesses that face weeks of downtime, six-figure recovery costs, and client notification obligations are the ones that assumed the perimeter firewall was enough.

At CodeHyper, we design and implement network segmentation architectures for Australian businesses, from initial network discovery and VLAN design through firewall configuration, monitoring integration, and ongoing penetration testing validation. Our IT infrastructure optimisation service is specifically designed for businesses that need to move from a flat network to a properly segmented architecture without operational disruption.

Explore our managed cybersecurity services for ongoing network security management, review our vulnerability scanning service to assess your current network exposure, or contact us today for a free network segmentation assessment tailored to your environment.

Frequently Asked Questions: Network Segmentation Best Practices

What is network segmentation and why does it matter for cybersecurity?

Network segmentation divides a computer network into smaller, isolated zones with controlled access between them. It matters for cybersecurity because it limits lateral movement, the ability of an attacker to spread from one compromised device to others. In a flat network, a single compromised workstation can reach every server and database in the environment. In a properly segmented network, a compromise in one zone cannot freely propagate to others, dramatically limiting the blast radius of any incident.

What are the most important network segments to implement first?

Prioritise these four segmentation boundaries for maximum immediate security impact, in order: (1) backup infrastructure isolation, separate backup systems from user workstations to protect against ransomware destroying your recovery options; (2) management plane separation, isolate network management interfaces from user devices; (3) IoT device isolation, put printers, cameras, and building systems on a dedicated VLAN away from business systems; (4) guest Wi-Fi separation, ensure guest devices have internet access only and cannot reach internal systems.

How do VLANs relate to network segmentation?

VLANs (Virtual Local Area Networks) are the primary technical mechanism for implementing network segmentation in most business environments. They create logical network boundaries that group devices independently of physical location, separating broadcast domains and providing the foundation for inter-segment access control. VLANs must be combined with inter-VLAN firewall rules to enforce access policies, VLANs alone separate broadcast traffic but do not prevent deliberate cross-VLAN connections without firewall enforcement.

What is the difference between network segmentation and microsegmentation?

Traditional network segmentation creates broad zones, VLANs, subnets, firewall zones, and controls traffic between them. Microsegmentation applies much more granular policies at the individual workload, application, or device level, enforced through software-defined networking regardless of network location. Traditional segmentation controls north-south traffic between zones; microsegmentation controls east-west traffic within zones. For most Australian SMBs, traditional VLAN-based segmentation is the appropriate starting point, with microsegmentation as a progression for cloud workloads and high-security environments.

Does network segmentation protect against ransomware?

Yes, significantly. Ransomware relies on lateral movement to maximise damage, spreading from an initial entry point to file servers, databases, and backup systems before triggering encryption. Network segmentation limits this movement by enforcing controlled boundaries that ransomware cannot cross without being blocked and logged. The Sydney manufacturing case study in this guide demonstrates the practical effect: ransomware contained to 3 workstations with production systems and backups completely unaffected, because segmentation boundaries blocked 847 lateral movement attempts. See our guide to how staged cyber attacks work for more detail on the attack chain that segmentation disrupts.

Is network segmentation required for ASD Essential Eight compliance?

Network segmentation is not one of the eight explicit controls in the ASD Essential Eight, but it is strongly aligned with and supportive of multiple controls. Restricting Administrative Privileges (Control 5) requires isolating privileged management access, which directly maps to management plane segmentation. Application control and patching are also significantly more manageable in segmented environments. For organisations in regulated sectors and those seeking cyber insurance, network segmentation is assessed as a positive security indicator in underwriting evaluations.

How do I segment IoT devices on my business network?

Put all IoT devices, printers, cameras, building management systems, smart TVs, POS terminals, on a dedicated IoT VLAN completely separate from business systems. Configure inter-VLAN firewall rules that permit only the specific outbound connections the devices need for their function (e.g., printers can receive print jobs from specific workstations and send to a scan folder, but cannot initiate connections to servers). Block all other inter-VLAN traffic to and from the IoT VLAN. This eliminates the IoT device as a lateral movement pivot point, even if the device is compromised.

How much does network segmentation cost for a small Australian business?

For a typical Australian SMB with existing managed switches and a next-generation firewall, implementing VLAN-based segmentation is primarily a professional services cost, designing the segment structure, configuring VLANs and firewall rules, and testing. For most environments with 20–100 devices across 5–8 VLANs, this ranges from $8,000 to $25,000 for design and implementation, depending on network complexity, number of locations, and whether existing equipment supports the required features. The ROI, as the Sydney case study demonstrates, can be realised in a single incident prevention.

How do I know if my current network segmentation is effective?

The only reliable way to know if your segmentation is effective is to test it, specifically through penetration testing that attempts to traverse segment boundaries from a compromised starting point. A penetration tester with access to a standard workstation should not be able to reach domain controllers, financial systems, or backup infrastructure. If they can, your segmentation has gaps. Our penetration testing services and vulnerability scanning include segmentation validation, verifying that the boundaries you believe exist actually hold under real-world attack conditions.

How does network segmentation relate to zero trust security?

Network segmentation is a foundational enabler of zero trust security architecture. Zero trust’s core principle, ‘never trust, always verify’, requires that every access request, from any device in any network location, is explicitly authenticated and authorised before it is granted. Network segmentation provides the enforcement boundaries that make zero trust practical, without segmented network zones and controlled access between them, zero trust identity and device policies have no network-level enforcement to back them up. Microsegmentation, in particular, is the network implementation of zero trust principles at the workload level. Our overview of IoT and cybersecurity explains how zero trust segmentation applies to the most challenging device class in modern business networks.