TL;DR

A single compromised machine should not give an attacker access to your entire business network. VLAN segmentation, traffic monitoring with Snort or Suricata, and Network Access Control (NAC) with PacketFence can stop lateral movement dead. You can deploy all three starting at roughly $200 in hardware plus a weekend of configuration, no enterprise budget required.

Your Flat Network Is the Attacker's Highway

Most small business networks are flat. Every workstation, printer, server, and IoT camera sits on the same subnet. When ransomware lands on one machine, it scans the local network and spreads to everything it can reach in minutes. The 2024 Change Healthcare breach started with one compromised endpoint and spread laterally across an unsegmented network, affecting over 100 million patient records.

Lateral movement is how a single infected laptop becomes a company-wide outage. The fix is segmentation: making devices unable to talk to each other unless you explicitly allow it. NIST SP 800-207, the Zero Trust Architecture standard, calls this the network and environment pillar. No implicit trust between devices. Every connection gets verified.

The good news is you can implement solid segmentation this week without replacing your entire network stack.

VLANs: 30 Minutes to Network Segmentation

VLANs (Virtual Local Area Networks) split one physical switch into multiple isolated logical networks. A device on VLAN 10 cannot talk to a device on VLAN 20 unless a router or firewall rule explicitly permits it. This is not optional security hardening, it is your first and cheapest defense against lateral movement.

What you need

A managed switch that supports 802.1Q VLAN tagging. These start around $150 (Netgear GS308E, TP-Link TL-SG108E for 8 ports) and go up to $500 for a 24-port model. If you already have a managed switch, you own this capability today, just login and use it.

Minimum viable VLAN layout

Create at least three VLANs:

  • Staff workstations (VLAN 10): Employee laptops and desktops. These can reach the internet and internal file servers but NOT each other (private VLAN or port isolation).
  • Servers (VLAN 20): File servers, domain controllers, application servers. Staff VLAN can reach specific server IPs on specific ports only (SMB on 445, RDP on 3389). Servers cannot initiate connections to staff machines.
  • Guest and IoT (VLAN 30): Guest WiFi, printers, cameras, smart TVs. Internet access only. Zero access to internal networks.

Implementation steps (this weekend)

  1. Login to your switch management interface.
  2. Create VLANs 10, 20, and 30.
  3. Assign each switch port to the correct VLAN. Ports connected to workstations get VLAN 10, server ports get VLAN 20, guest WiFi access point gets VLAN 30.
  4. On your router or firewall (most business routers from Ubiquiti, MikroTik, or pfSense support this), create firewall rules: VLAN 10 can reach VLAN 20 port 445 only. VLAN 20 cannot initiate any connection to VLAN 10. VLAN 30 can only reach the internet.
  5. Test: plug a laptop into a VLAN 30 port and try to ping a server on VLAN 20. It should fail.

CIS Controls v8.1, Safeguard 4.4, mandates that enterprise assets be segmented based on sensitivity. Three VLANs get you there for under $300.

IDS/IPS: Snort, Suricata, and Zeek for Traffic Visibility

Segmentation stops devices from talking when they should not. But you also need to know what is happening inside the traffic you do allow. This is where Intrusion Detection and Prevention Systems (IDS/IPS) and network monitoring tools come in.

Snort and Suricata: Signature-based detection

Both are open-source IDS/IPS engines that inspect network packets against a database of known attack signatures. They spot malware callbacks, brute-force attempts, port scans, and exploit traffic in real time.

  • Snort: Maintained by Cisco Talos. Free community rules are updated 30 days behind paid subscribers. Paid rules (around $400/year for a small deployment) give you same-day protection against new threats.
  • Suricata: Multi-threaded, faster on modern hardware. Supports Snort-format rules plus its own Emerging Threats ruleset. Free ET Open rules cover most threats. ET Pro rules ($600/year for commercial use) add real-time threat intelligence feeds.

Both are free to install. You place them at your network edge (between your router and switch) or on a mirrored switch port (SPAN port) for passive monitoring. For a small office with one internet connection, you can run Suricata on a refurbished small-form-factor PC ($200) running Ubuntu LTS. That is your entire hardware cost.

Zeek (formerly Bro): Behavioral monitoring

Zeek is not signature-based. It logs every connection and builds a behavioral baseline of your network. When something unusual happens (a workstation suddenly connecting to 50 external IPs, a printer initiating outbound SSH), Zeek flags it. It excels at finding things signature-based tools miss: data exfiltration, lateral movement within allowed VLAN traffic, and insider threats.

Zeek is free and runs on the same hardware as Suricata. The two complement each other: Suricata blocks known bad traffic at the perimeter, Zeek catches anomalous behavior inside your network.

What this costs

Tool Software Cost Hardware Rules/TI Feed Total Year 1
Suricata + Zeek on refurb PC $0 $200 ET Pro $600/yr $800
Snort on existing server $0 $0 Talos paid $400/yr $400
Suricata on pfSense/OPNsense $0 $0 ET Open free $0

The zero-dollar option works. A $200 refurbished Dell OptiPlex with Suricata and Zeek is a production-grade monitoring stack that most SMBs can deploy in an afternoon.

NAC: Stop Rogue Devices Before They Connect

VLANs only work if the right devices end up on the right VLAN. Network Access Control (NAC) enforces that. When someone plugs a device into a port, NAC checks what it is and assigns it to the appropriate VLAN, or blocks it entirely if it is not authorized.

PacketFence is an open-source NAC system that integrates with your existing switches and wireless controllers. It supports 802.1X authentication (username and certificate), MAC-based authentication, and captive portal registration for guests.

Deployment options:

  • Inline mode: PacketFence becomes a gateway that all traffic passes through. Simple but introduces a single point of failure unless you run it in a high-availability pair.
  • Out-of-band mode: PacketFence controls VLAN assignment on your switch via SNMP or RADIUS. No inline traffic bottleneck.

For an SMB, the out-of-band setup on a small Linux VM (2 vCPUs, 4GB RAM) is the sweet spot. Free software, minimal resources, strong enforcement.

Portnox: Cloud-managed alternative

If you want zero on-premises infrastructure, Portnox CLEAR is a cloud-delivered NAC service that handles 802.1X certificate provisioning, risk-based access policies, and device profiling. Pricing starts around $3 per device per month. For a 50-device office, that is $150/month or $1,800/year. No server to maintain, no switch configuration beyond pointing RADIUS at Portnox's cloud.

RADIUS: The glue

Both PacketFence and Portnox use RADIUS (Remote Authentication Dial-In User Service) to talk to your switches and access points. Most managed switches have a RADIUS client built in. You configure the switch to ask the RADIUS server what VLAN to assign when a device connects. The RADIUS server (PacketFence or Portnox) makes the decision based on policy.

Quick-Win Audit Checklist

Run this audit on your network this week. Each item takes under an hour:

  1. Map your current network: Run nmap -sn 192.168.1.0/24 (adjust for your subnet) and list every device. Mark what they are and what VLAN they belong on.
  2. Check if your switch supports VLANs: Login to the management interface and look for "802.1Q" or "VLAN" in the settings. If you see it, you have the capability. If not, a managed switch is your first purchase.
  3. Scan for open ports between devices: From a workstation, run nmap -p 139,445,3389,22,3306,5432 <server-ip>. Every open port you did not explicitly need is a lateral movement path an attacker can use.
  4. Test guest network isolation: Connect your phone to the guest WiFi and try to access your file server by IP address. If it connects, your guest network is not isolated. Fix the firewall rules today.
  5. Install Suricata on a spare machine: sudo apt install suricata on any Ubuntu box, point it at your network interface, and let it run for 24 hours. Review the alerts. You will likely find traffic you did not know existed.
  6. Check if 802.1X is configured on your WiFi: Login to your wireless controller and look for WPA2-Enterprise or 802.1X settings. If your office WiFi uses a shared password (WPA2-Personal), every person who knows the password can decrypt everyone else's traffic.

FAQ

Do I need a full-time security person to run this?

No. Once VLANs are configured on your switch and firewall rules are set, they run without daily maintenance. Suricata and Zeek need weekly log review (30 minutes). PacketFence needs occasional policy updates when new device types join the network. If you have an IT person or MSP, this is well within their scope. If you do not, set aside two hours per month for monitoring review.

Will VLANs break my office applications?

Only if you segment without planning. Map out which devices genuinely need to talk before creating firewall rules. File servers need SMB (port 445) from the staff VLAN. Printers need IPP (port 631) from staff. Everything else gets blocked by default. Test in a maintenance window, not during business hours.

What about cloud services? Does segmentation matter if everything is in the cloud?

Yes. Your office network still connects to cloud services. If a compromised laptop can reach your cloud admin console or your cloud-hosted file server, segmentation did not fail, it was never applied. Zero Trust applies to cloud access paths too. Segment your internal network AND enforce conditional access policies on your cloud identity provider (Azure AD, Google Workspace).

Is PacketFence hard to set up?

Moderate difficulty. The installation guide walks you through step by step. If you have configured a Linux server before, you can deploy PacketFence in a day. If not, Portnox CLEAR's cloud option removes the server management burden entirely.

Conclusion

Network segmentation is not reserved for enterprises with six-figure security budgets. A managed switch, three VLANs, Suricata on a refurbished PC, and PacketFence on a Linux VM get you 80% of the lateral movement protection that NIST SP 800-207 and CIS Controls v8 recommend. Total cost: $300 to $1,500 for a 20-person office.

Start this week. Map your network, enable VLANs, and install Suricata. Do not wait until ransomware has already spread across every machine in your office.

Not sure where to begin? Visit consult.lil.business for a free cybersecurity assessment. We will map your network exposure, identify your lateral movement risks, and give you a prioritized action plan you can implement immediately.

References

  1. NIST SP 800-207: Zero Trust Architecture
  2. CIS Controls v8.1: Network Infrastructure Management
  3. CISA/NSA: Advancing Zero Trust Maturity Throughout the Network and Environment Pillar
  4. Suricata IDS/IPS: Open Source Network Threat Detection
  5. PacketFence: Open Source NAC

Verifier warning: verifier returned no output

Why You Might Be Wasting Money on Fancy Robot Helpers You Don't Need

TL;DR

  • According to McKinsey, fewer than 30% of businesses using AI have any clear way of measuring whether it's working [1]. That means most businesses paying for AI don't know if it's doing anything.
  • Free open-source AI tools have closed 80–90% of the performance gap with expensive paid tools for typical business tasks [2].
  • Five common AI money traps — and how to escape each one.
  • lil.business does a free AI spend audit to show you what's worth keeping and what's burning budget.

Imagine you hired five assistants to help with your business. But you never told them what to do. They just sat at their desks looking busy. You paid them every month. And at the end of the year, you had no idea what they'd actually done.

That's what most businesses' AI spending looks like right now.

A 2024 McKinsey report found that fewer than 30% of businesses using AI had any clear way of measuring whether it was working [1]. They had AI. They didn't know if it was doing anything.

Here are the five ways businesses waste money on AI — and exactly how to fix each one.

Waste #1: Paying for the Fancy Version When the Free One Does the Same Job

Think of it like a hammer. You can buy a $5 hammer or a $200 "professional" hammer with titanium handles. If you're hanging a picture, both drive the nail in fine.

Many AI tools work the same way. According to Andreessen Horowitz's 2024 AI infrastructure report, free open-source AI models have closed 80–90% of the performance gap with expensive paid models for typical business tasks — summarising documents, answering questions, drafting emails, sorting files [2]. The remaining 10–20% gap only matters for very specialised work.

So if you're paying $50/month for an AI writing tool to draft routine emails, there's a very good chance a free open-source model running on your own laptop does the same job at zero ongoing cost.

Fix: Before renewing any AI subscription, ask: "What exactly does this do?" Then ask: "Is there a free version that does the same thing?" Most of the time, there is.

Related: The $0 AI Stack — Free Robot Helpers for Your Business

Waste #2: Sending Your Business Secrets to Someone Else's Computer

When you use cloud AI tools like ChatGPT or Google Gemini to process your business documents, those documents travel across the internet to company servers — typically in the United States [3][4].

For sensitive business information, that creates real privacy obligations under the Australian Privacy Act 1988 [5]. Gartner predicts that by 2027, 40% of enterprise AI deployments will shift to on-device or on-premises inference driven by data sovereignty concerns [6].

The alternative — AI that runs on your computer, in your building, where nobody else can see it — is available for free.

Fix: Ask whether the AI tools you use are sending your data outside your business. If yes, and if that data is sensitive, look at local options. lil.business can help you figure out what's safe in the cloud and what should stay local.

Waste #3: Buying AI Without Knowing What Problem You're Solving

This is the most common mistake. Someone heard that AI is important. They signed up for three AI tools. They don't know if any of them are helping.

Here's the test: Can you complete this sentence? "Before we got this AI tool, [task] was taking [time/money]. Now it takes [less time/less money]."

If you can't fill in those blanks, you don't have ROI. You have a subscription.

Harvard Business Review found that companies with formal AI ROI measurement frameworks were 3× more likely to report positive returns from AI investments than those without [7]. The measurement doesn't need to be complicated. It just needs to exist.

Fix: For every AI tool you're paying for, write down what it was bought to do, how much time it saves, and what it costs. If the savings are less than the cost, cancel it.

Waste #4: Hiring Consultants Who Recommend the Most Expensive Tools

Some AI consultants get paid a cut when you buy the tools they recommend. That means they have a financial reason to recommend the expensive ones — even when a free option would work just as well.

Deloitte's 2024 Technology Consulting Trends report identified vendor lock-in enabled by consultant incentive structures as one of the top three drivers of wasted enterprise technology spend [8]. The same pattern plays out at SMB scale every day.

A good AI consultant starts by asking: "What problem are you trying to solve?" A bad one starts by saying: "You need [specific expensive product]."

Fix: Ask any AI consultant up front: "Do you receive any referral fees from the tools you recommend?" If yes, or if they won't answer, be cautious. lil.business doesn't take referral fees — we recommend what's right for you, not what earns us a commission.

Waste #5: Buying AI Tools Your Staff Never Use

The most expensive tool is one that sits unused. McKinsey found that AI-augmented knowledge workers are 20–40% more productive on tasks where they actively use AI assistance [1]. If nobody's using the tools, you're getting 0% of that uplift while paying for 100% of the subscription.

Gartner similarly found that adoption and usage rates — not model capability — are the primary predictor of AI ROI in SMB deployments [9]. The best AI in the world is useless if it stays unopened.

Fix: When you bring in any new AI tool, spend time showing staff specifically how it helps them. Build a small library of the five most useful ways to use it. Don't hand people software — show them how it makes the boring parts of their day disappear.

The Quick Self-Check

Answer these five questions honestly:

  1. Do you pay for AI tools you can't measure the value of?
  2. Are you sending sensitive documents through cloud AI?
  3. Did you buy AI tools without tracking what they were supposed to improve?
  4. Did your AI consultant show you a specific tool before understanding your business?
  5. Are there AI tools your team rarely touches?

1–2 yes: You're doing okay. Review the high-cost items. 3–4 yes: Real waste happening. Start with your most expensive tool. 5 yes: This is worth a proper review with lil.business.

FAQ

How do I know if I'm overpaying for an AI tool? If you can't name a specific task it's making faster or cheaper — and measure that improvement — you're probably overpaying. Companies with formal ROI frameworks are 3× more likely to see positive returns [7].

What's the difference between free AI and paid AI? For most everyday business tasks, not much. Open-source models handle document summarising, email drafting, classification, and data extraction at a quality level very close to the expensive paid tools for typical SMB workloads [2].

Is it risky to use AI tools that are free? Not if they're well-established and actively maintained. Tools like Ollama, n8n, and Chatwoot are used by thousands of businesses worldwide. The risk is in poorly-maintained tools — not in open-source as a category.

How much should I be spending on AI for my business? A rough guide: your AI spend should deliver at least 3× its cost in measurable value. Spending $500/month means pointing to $1,500/month in time saved or revenue generated [1].

References

[1] McKinsey & Company, "The State of AI in 2024: GenAI Adoption Spikes and Starts to Generate Value," McKinsey Global Institute, May 2024. [Online]. Available: https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai

[2] Andreessen Horowitz, "The State of Open Source AI," a16z Research, Oct. 2024. [Online]. Available: https://a16z.com/the-state-of-open-source-ai/

[3] OpenAI, "API Pricing," OpenAI, 2024. [Online]. Available: https://openai.com/pricing

[4] Google, "Gemini for Google Workspace Pricing," Google, 2024. [Online]. Available: https://workspace.google.com/intl/en/pricing/gemini/

[5] Office of the Australian Information Commissioner (OAIC), "Privacy and AI: Australian Privacy Act 1988 Obligations," Australian Government, 2024. [Online]. Available: https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-and-technology/artificial-intelligence

[6] Gartner, "Predicts 2025: Artificial Intelligence Infrastructure and On-Premises Inference," Gartner Research, Nov. 2024. [Online]. Available: https://www.gartner.com/en/documents/ai-infrastructure-predictions

[7] Harvard Business Review, "Making AI Investments Pay Off," Harvard Business Review, Sep. 2024. [Online]. Available: https://hbr.org/topic/subject/artificial-intelligence

[8] Deloitte, "2024 Technology Consulting and AI Adoption Trends," Deloitte Insights, 2024. [Online]. Available: https://www2.deloitte.com/global/en/pages/technology/articles/technology-consulting-ai-trends.html

[9] Gartner, "Key Factors in AI Adoption Success for SMBs," Gartner Research, 2024. [Online]. Available: https://www.gartner.com/en/small-business/insights/ai-adoption

Want to save money with AI? Let lilMONSTER show you how.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation