Flat Networks Turn a Single Breach Into a Company-Wide Incident

A single compromised workstation shouldn’t be able to reach your accounting software, file servers, and backup systems. But on most SMB networks, it can. When every device sits on the same network with no internal barriers, one successful phishing email or one stolen credential gives an attacker access to your entire environment.

What “Flat Network” Means in Practice

A flat network is one where all devices can communicate with each other directly. Your receptionist’s computer can reach the server that runs your ERP system. The guest WiFi your clients use shares the same network as your domain controllers. IoT devices like security cameras and smart thermostats sit alongside workstations that access sensitive financial data.

This design is common because it’s the default. Off-the-shelf routers and switches ship configured for a single network. Small businesses that grew without dedicated IT staff tend to add devices to the same network year after year. By the time the company reaches 100 employees, the network that worked for 15 people is still fundamentally the same, just with more devices plugged in.

The problem is that flat networks give attackers freedom of movement. Once they compromise any device on the network, they can scan and reach every other device without crossing any security boundaries. Techniques like credential theft and lateral movement become trivial when nothing prevents one machine from connecting to another.

How Attackers Exploit Unsegmented Networks

Ransomware operators specifically target flat networks because they maximize the blast radius of an attack. After gaining initial access through a phishing email, a compromised VPN, or a stolen session cookie (a technique covered in detail in our post on infostealers bypassing MFA), the attacker begins lateral movement. Lateral movement is the process of spreading from the first compromised device to as many systems as possible.

On a segmented network, that spread hits walls. The attacker compromises a workstation in marketing but can’t reach the finance servers because they’re on a separate network segment with firewall rules restricting access. On a flat network, there are no walls. The attacker moves from marketing workstations to file servers to domain controllers to backup systems without restriction.

The Verizon Data Breach Investigations Report consistently identifies lateral movement as a key factor in breaches that cause large-scale data exposure. MITRE’s ATT&CK framework documents dozens of lateral movement techniques, from pass-the-hash to remote service exploitation, and every one of them is easier to execute on a flat network.

Attackers using living-off-the-land techniques are especially dangerous on unsegmented networks. They use built-in Windows tools like PowerShell, WMI, and RDP to move laterally, which means antivirus often doesn’t flag their activity. Without network-level barriers, these tools work exactly as designed, connecting freely between systems.

What Segmentation Looks Like for an SMB

Network segmentation divides your network into smaller zones, each with its own access controls. Traffic between zones passes through a firewall that enforces rules about what can talk to what.

For a typical 100-person business, practical segmentation looks like this:

• Workstations on their own segment, separated by department if the business has distinct functional groups with different data access needs
• Servers (file servers, application servers, domain controllers) on a dedicated segment that only allows necessary traffic from workstation segments
• Finance and accounting systems isolated on a restricted segment with access limited to authorized users and devices
• Guest WiFi completely separated from the internal network, with no route to internal resources
• IoT and operational technology (cameras, printers, HVAC systems, badge readers) on an isolated segment with internet access only where needed
• Backup systems on their own segment with tightly restricted access, preventing ransomware from reaching backup data

Modern firewalls from vendors like Fortinet handle this segmentation at the network level. VLANs (virtual LANs) on your switches create the logical separation, and firewall policies control what traffic crosses between segments. Your managed security provider configures and monitors these rules.

The goal isn’t to block all internal traffic. It’s to enforce the principle of least privilege at the network level. Marketing doesn’t need direct access to the backup servers. The guest WiFi never needs to reach your domain controller. Segmentation makes those restrictions explicit and enforceable.

Compliance Frameworks Require It

If your business operates in a regulated industry, network segmentation likely isn’t optional.

PCI DSS requires network segmentation to isolate cardholder data environments from the rest of the network. Without it, your entire network falls within the scope of PCI compliance, increasing both the cost and complexity of audits.

HIPAA requires technical safeguards to restrict access to electronic protected health information (ePHI) to authorized users and systems. Network segmentation is one of the primary controls for meeting this requirement. Healthcare organizations that handle patient data need clinical systems isolated from general business traffic.

CMMC (Cybersecurity Maturity Model Certification) includes requirements around network architecture that effectively mandate segmentation for defense contractors handling controlled unclassified information.

Even if your specific compliance framework doesn’t use the word “segmentation,” most frameworks require access controls, network monitoring, and containment capabilities that are extremely difficult to achieve on a flat network.

How to Start Without Disrupting Operations

Segmenting an existing network doesn’t have to happen in a single weekend. A phased approach reduces risk and limits disruption.

Start with an inventory. You can’t segment what you don’t understand. Map every device on the network, what it does, what it connects to, and who uses it. Your network management tools and RMM platform provide most of this data.

Separate the obvious first. Guest WiFi, IoT devices, and printers are low-risk first moves because isolating them rarely affects employee workflows. These devices don’t need access to your internal servers, so the segmentation rules are straightforward.

Isolate high-value targets next. Backup systems, financial applications, and domain controllers should go on restricted segments. These are the assets attackers target most aggressively during a breach, and restricting access to them significantly limits damage.

Add monitoring at segment boundaries. Once traffic flows through firewall rules between segments, you gain visibility you didn’t have before. Your SOC can monitor cross-segment traffic for anomalies, like a workstation in marketing suddenly trying to reach the backup servers.

Test and refine. Segmentation rules sometimes block legitimate traffic that wasn’t documented. Plan for a tuning period where you monitor blocked connections and adjust rules as needed. Starting with “monitor only” mode for new rules lets you see what would be blocked without actually disrupting anything.

Network segmentation isn’t a product you buy. It’s a design decision that determines whether a breach stays contained or becomes a company-wide shutdown. The difference between “one department offline for a day” and “entire business down for weeks” often comes down to whether the attacker could move freely after initial access.