Segmenting Critical Systems From Everything Else to Limit Damage From Malware or Mistakes.

A Sligo retail company's point-of-sale system was compromised through a vulnerability in a networked CCTV camera. The CCTV system was on the same flat network as the payment terminals, the stock management server, and the finance director's laptop. Within four hours of the initial compromise, the attacker had reached all of them. The CCTV system cost €800 to replace. The payment data breach that followed cost significantly more.

The company was not operating carelessly. They had reasonable controls in place. What they did not have was segmentation — the practice of separating different systems onto different network segments so that a compromise in one area cannot automatically spread to all others.

Segmentation is the control that limits blast radius. It does not prevent malware from entering. It prevents malware from going everywhere once it does.

What Is Network Segmentation?

Network segmentation is the practice of dividing a computer network into distinct zones — typically using VLANs (Virtual Local Area Networks) or separate physical networks — so that traffic between zones is controlled and a compromise in one zone cannot automatically propagate to others.

In a flat network, every device can communicate with every other device by default. A device compromised in one part of a flat network has, at least in principle, immediate access to everything else on it. In a segmented network, devices in different segments can only communicate through defined, controlled pathways — which can be monitored, restricted, and shut down if needed.

The Segments Most Irish SMEs Need

Business operations segment. Your primary work computers, file servers, internal applications, and printers. This is where most staff work. Controls here are important but not exceptional — this segment has the largest attack surface because it has the most devices and the most human interaction.

Critical systems segment. Your most valuable assets — financial systems, client databases, HR records, the systems that contain your crown jewels. Access to this segment should be restricted to the smallest number of devices and users who genuinely need it. No general staff workstations. No IoT devices. No guest access.

IoT and infrastructure segment. CCTV systems, networked printers, smart building devices, access control panels, environmental monitoring. These devices often run outdated firmware, have default credentials, and provide limited security visibility. Isolating them means a compromised CCTV camera or printer cannot reach your financial system or client data.

Guest and visitor segment. Internet access for visitors, contractors, and personal devices. No access to any internal systems. Separate SSID. Credentials that change regularly.

Management segment. The network from which IT administration is performed. Administrator access to all other segments is conducted from this segment only, with additional authentication requirements. An attacker who compromises a standard user workstation cannot reach the administrative tools from there.

How many of these segments does your business currently have? Most Irish SMEs have one or two. The question is not whether you need all five immediately — it is which gaps create the most risk given your specific environment. Book a free 20-minute strategy call — network segmentation assessments are a standard part of our SME security reviews.

How to Implement Segmentation Without an Enterprise Budget

Modern business-grade firewalls and managed switches — from Cisco Meraki, Fortinet, Ubiquiti, and others — support VLAN configuration at price points appropriate for Irish SMEs. A three-segment network (business operations, IoT, and guest) can typically be implemented on existing infrastructure or with hardware investment of €500–2,000 depending on network size and current equipment.

The implementation is a half-day to full-day project for a competent IT provider. The key steps are: audit the current network to identify all devices and their roles, design the segment structure appropriate for the business, configure VLANs on the managed switch and firewall, create inter-segment access rules that permit only required communication, and test that the segmentation is effective by attempting to reach a protected segment from a lower-trust one.

For businesses with very limited infrastructure — a small office with a consumer router and a handful of devices — the practical starting point is the guest Wi-Fi separation described elsewhere in this series, combined with ensuring that IoT devices use a separate SSID. Full segmentation can be introduced incrementally as infrastructure is upgraded.

Segmentation and the Lateral Movement Problem

The most important security benefit of segmentation is its impact on lateral movement — the attacker's practice of moving from an initial access point to higher-value targets within the same network. Lateral movement is a standard component of ransomware attacks and is the phase during which attackers escalate their access to administrator level, identify and compromise backup systems, and reach the most valuable data.

In a flat network, lateral movement is relatively unconstrained. An attacker who compromises any device has a pathway to every other device. In a segmented network, lateral movement requires traversing segment boundaries — which can be monitored, detected, and blocked. The attacker who compromises a workstation in the general staff segment cannot simply reach the financial database in the critical systems segment without passing through a controlled gateway.

This does not stop all attacks. It slows them down, generates alerts that enable detection, and limits the damage when containment is not immediate.

Why This Matters Right Now

The NCSC Ireland's incident analysis consistently identifies lateral movement as a feature of the most costly incidents affecting Irish organisations. Ransomware that achieves wide network propagation before activating causes significantly more damage than ransomware that is contained to a small number of devices. The difference between the two outcomes is frequently determined by whether segmentation was in place [^1].

Segmentation is not a sophisticated control. It is a fundamental architectural decision about how your network is structured. Getting it right once provides ongoing protection that does not require continuous maintenance — unlike many other security controls.

What Next

1. Map your current network. Ask your IT provider for a network diagram showing all devices, segments (if any), and how they connect. If no diagram exists, creating one is the first step.

2. Identify your highest-priority segmentation target. IoT devices on the same network as critical systems, or a complete lack of guest/staff separation, are the most impactful starting points for most Irish SMEs.

3. Request a segmentation quote from your IT provider. For most small business environments, implementing basic segmentation is a half-day project. The cost should be proportional to the benefit — which, framed against your incident cost calculation, is almost always justified.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

• Practical Office Network Hygiene: Guest Wi-Fi, Admin vs User Accounts, and Simple Segmentation
• Mapping Your Crown Jewels: Identifying the Data and Systems You Must Protect
• Ransomware 101: How Attacks Really Start in Irish SMEs

[^1]: NCSC Ireland — Network Security Guidance [^2]: An Garda Síochána — National Cyber Crime Bureau [^3]: Data Protection Commission Ireland

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.