Suppose an employee clicks on a phishing email. The attacker gains access to a single workstation. Without network segmentation, the entire corporate network is open: servers, financial data, production systems, everything. With segmentation, the attacker stops at that one workstation and gets no further.
That’s the difference that network segmentation makes. Yet at Cyberplan, we see that the majority of Flemish SMEs still work with a completely flat network, where each device can communicate with every other device. In this article, we explain exactly what network segmentation is, why it is indispensable for your business, and give you a concrete approach to implement it step by step.
What is network segmentation?
Network segmentation is dividing your corporate network into smaller, protected zones. Each segment contains only the systems and users that belong together, and traffic between segments is controlled by firewalls or access rules. Compare it to fire doors in a building: if a fire breaks out in one room, the doors prevent the fire from spreading to the rest of the building.
The basic principles
The idea behind network segmentation is simple: not everything has to be connected to everything. Your accounting software doesn’t need to access the machines on the production floor. The guest Wi-Fi doesn’t need to connect to your file server. By making that separation, you limit the possibilities of an attacker getting in AND improve the performance of your network.
A well-segmented network operates on the principle of least privilege: each system and user is given access only to what is strictly necessary for work.
Physical vs. logical segmentation
There are two ways to achieve segmentation. With physical segmentation, you use separate network equipment (switches, routers) for each segment. This is the most watertight approach, but also the most expensive. With logical segmentation, you use VLANs (Virtual Local Area Networks) to virtually divide the network across the same physical infrastructure. VLANs are the practical choice for most SMBs: they provide strong separation without having to rewire your entire network.
In practice, companies often combine both approaches. For example, a manufacturing company may use physically separate networks for office and production, while within the office network VLANs separate the different departments.
Network segmentation vs. microsegmentation
Classical network segmentation works at the network level: you divide the network into large zones. Microsegmentation goes a step further and works at the level of individual servers, applications or even processes. Where network segmentation places fire doors between floors, microsegmentation places them between each room.
Microsegmentation is a core part of a Zero Trust architecture, the principle that no device or user is automatically trusted, even within its own network. For organizations processing sensitive data or subject to more stringent regulations, microsegmentation is increasingly relevant. For most Flemish SMEs, however, classic network segmentation with VLANs is the right first step. Microsegmentation builds on that later as your maturity grows.
Why network segmentation is essential for your business
Limiting damage in the event of a cyber attack
This is the key argument. In a ransomware attack on a flat network, the malware can spread to any connected system within minutes. With segmentation, the damage is limited to the affected segment. The rest of your business keeps running. We saw this painfully illustrated with several Belgian companies that were down for months after an attack precisely because their network was not segmented.
Better network performance
An additional benefit that many companies don’t think about: segmentation improves the speed and stability of your network. Fewer devices per segment means less broadcast traffic, less congestion and faster connections. Employees who complain that “the network is slow” are often working on an overloaded, flat network.
Simplified management and compliance
With clear segments, network management becomes more manageable. Your IT team can set and monitor specific security rules for each zone. Moreover, segmentation makes it easier to meet compliance requirements: you can prove that sensitive data (employee data, financial information, customer data) is in a separate, extra secure segment.
Network segmentation and NIS2: what Belgian cyber law expects of you
Network segmentation is no longer just a best practice, it is becoming a legal requirement for more and more companies. The Belgian NIS2 law (effective Oct. 18, 2024) requires essential and important entities to implement appropriate security measures. The CyberFundamentals framework (CyFun), the Belgian reference framework for NIS2 compliance, includes network segmentation as one of the concrete measures.
The deadline is fast approaching: essential entities must submit their self-assessment at least CyFun level Basic or Important to the CCB by April 18, 2026. By April 2027, the final level must be certified. But it may also affect companies not directly covered by NIS2. NIS2-mandated organizations may require their suppliers to implement at least CyFun Basic. Is your company a supplier to a larger organization? If so, network segmentation may be a contractual requirement.
Want to know if your company is covered by NIS2 and what that means in concrete terms? Our team will help you with a clear analysis. Flemish SMEs can get up to 45% subsidy on cybersecurity advice through the SME portfolio, including a cybersecurity audit that maps your network segmentation.
Here’s how to implement network segmentation in your business: 6 steps
Step 1: map your network
Start with a complete inventory. What devices are hanging on your network? Consider workstations, servers, printers, IP phones, security cameras, IoT sensors and production equipment. Also document data flows: which systems communicate with which, and why? Many IT teams discover devices they didn’t know existed at this stage.
Step 2: define your segments
Group systems by function, sensitivity and user group. At a minimum, a typical segmentation for a medium-sized company includes these zones: office workstations, servers and management environment, guest Wi-Fi, VoIP/telephony, and (if applicable) production or OT systems. The more sensitive the data or system, the stricter the separation.
Step 3: configure VLANs and firewall rules
For each segment, set up a VLAN on your managed switches. Then configure firewall rules that determine what traffic is allowed between segments. The basic rule: block everything, and allow only what is necessary. Your ERP server should be reachable from the office segment, but not from the guest WiFi. Document each rule with a reason, which makes future management and audits easier.
Step 4: secure the transitions
The places where segments communicate with each other are the critical points. Deploy next-generation firewalls here that inspect traffic not only by port number but also at the application level. For sensitive segments (such as management or financial systems), consider requiring additional authentication, such as via multi-factor authentication.
Step 5: test your segmentation
Implementation without testing is gambling. Perform a penetration test of your network to validate that the separation works. Can a device in one segment actually not access systems in another segment? Test from inside to outside as well as vice versa. At Cyberplan, our OSCP-certified pen testers structurally test whether segmentation holds up in practice.
Step 6: monitor and maintain
Network segmentation is not a one-time project. Monitor traffic between segments continuously. Set alerts for unusual traffic patterns: if a printer suddenly connects to your database server, something is wrong. Evaluate your segmentation at least annually, and always after changes in your infrastructure such as new servers, a business acquisition or an office move.
Common network segmentation mistakes (and how to avoid them)
In the hundreds of audits of corporate networks that we conducted at Flemish companies, we see the same errors recurring:
The “flat network” problem:
By far the most common situation: the entire company sits on one network segment. Workstations, servers, printers, cameras, guest Wi-Fi, everything communicates with everything. One compromised device gives access to the entire network.
Printers and IoT in the server segment:
Printers, cameras and smart sensors often run on outdated firmware that is rarely patched. If these devices are in the same segment as your servers, they provide an easy springboard for attackers.
Segmentation without monitoring:
Creating VLANs is step one. But if no one monitors what happens between those segments, you won’t notice a breach until it’s too late. Segmentation without monitoring gives a false sense of security.
Overly broad firewall rules:
We regularly see firewall configurations with “allow all” rules between segments, often set temporarily during a migration and never reversed. One forgotten rule can undermine your entire segmentation.
No separate management network:
IT administrators who manage systems from the same network segment as ordinary users pose a risk. A separate management VLAN with strict access control prevents an attacker from accessing management consoles through an ordinary workstation.
Case study: network segmentation at a Flemish manufacturing company
Take a typical Flemish manufacturing company with 120 employees: an office environment with 40 workstations, a production hall with 15 automated machines, a small warehouse with scanners and an IT team of 3 people. Before segmentation, the company worked with this setup:
Segment 1: Office for workstations, laptops and multifunction printers. Access to ERP system, e-mail and Internet. No direct access to production systems.
Segment 2: Servers and applications containing the ERP server, file server, domain controller and backup systems. Only accessible from the office segment through specific ports and protocols.
Segment 3: Manufacturing (OT) for PLCs, HMI screens and production machines. Physically separated from the office network. Limited, one-way connection to ERP server for production data. No Internet access.
Segment 4: Guest Wi-Fi completely isolated. Provides Internet access for visitors and remote technicians, but has no connection to internal systems.
Segment 5: Management and IT administration a protected segment for system administration, with mandatory multi-factor authentication. Accessible only to the IT team.
The result? When an employee accidentally brought in malware via a USB stick a few months later, the infection was limited to the office segment. Production ran uninterrupted and the servers were unaffected. Without segmentation, this company might have shut down for days.
Frequently asked questions about network segmentation
What is the difference between network segmentation and microsegmentation?
Network segmentation divides your network into large zones (e.g., office, servers, production) with firewalls in between. Microsegmentation goes further and controls traffic at the level of individual servers or applications. For most SMBs, classic segmentation is the right first step.
Is network segmentation mandatory under NIS2?
Network segmentation is one of the concrete security measures in the CyberFundamentals framework, the Belgian reference framework for NIS2 compliance. Essential entities must demonstrate at least CyFun level Basic or Important by April 2026. Companies in the supply chain of NIS2-compliant organizations may also be required to implement network segmentation.
How many network segments does an SME need?
A medium-sized business typically needs at least four to six segments: office workstations, servers, guest Wi-Fi, management network, and possibly production/OT and VoIP. The exact number depends on your business operations and the sensitivity of your data.
Can network segmentation stop ransomware?
Segmentation doesn’t stop ransomware at the front door, but it drastically limits the damage. Without segmentation, ransomware can spread to any system on your network within minutes. With segmentation, infection is limited to the affected segment, while the rest of your business remains operational.
How often should you evaluate your network segmentation?
Evaluate your network segmentation at least annually and after any significant change in your infrastructure, such as new servers, a merger or acquisition, or an office move. A periodic penetration test validates whether the segmentation holds up in practice.
What does network segmentation cost for a medium-sized company?
Costs vary greatly depending on the size and complexity of your network. For a company with 50-150 workstations and existing managed switches, VLAN configuration is often feasible without large hardware investments. Flemish SMEs can receive up to 45% subsidy on the consulting process through the SME portfolio.
The next step? Network segmentation begins with understanding your current situation. Our cybersecurity experts map your network, identify the risks and deliver a concrete implementation plan tailored to your business. Flemish SMEs are eligible for VLAIO grants that cover up to 45% of consulting costs.
Book a free consultation and find out how your business is doing today.