TL;DR

Network segmentation stops attackers from roaming freely after they breach one device. For $200 to $3,000, any small business can deploy VLANs, set up IDS/IPS monitoring, and enforce Network Access Control. This article gives you the exact tools, costs, and a checklist you can start using this week.​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​‌​​‍​‌‌‌​‌‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​‌‌‌‍​‌‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​​​​‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​‌‌‌‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​

Lateral movement is how a minor breach becomes a disaster. Attacker gets into the receptionist's desktop via a phishing email. That desktop sits on the same flat network as your accounting server, your customer database, and your backup NAS. The attacker doesn't need to breach those targets. They just walk sideways.

Network segmentation builds walls between your systems. Even if someone breaks in, they're trapped in a single room. Here's what you can actually implement this week, with real tools and real prices.​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​‌​​‍​‌‌‌​‌‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​‌‌‌‍​‌‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​​​​‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​‌‌‌‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​

What Network Segmentation Actually Means for a Small Business

Most small business networks are flat. Every device, every server, every printer, every IoT camera sits on the same subnet. One compromised device gives attackers access to everything. This is the single biggest network security mistake SMBs make, and it costs almost nothing to fix.

The core idea: divide your network into zones based on trust and function. Corporate workstations in one zone. Servers in another. Guest WiFi in a third. IoT devices, payment terminals, and security cameras each get their own. Traffic between zones gets inspected and restricted. If something in the guest zone tries to talk to your accounting server, the network blocks it by default.

NIST SP 8

00-207 (Zero Trust Architecture) calls this the network environment pillar. The principle is simple: no device gets trust just because it's inside your building. Every connection gets verified. Every zone gets isolated. CIS Controls v8, specifically Control 4 (Secure Configuration of Enterprise Assets and Software) and Control 12 (Network Infrastructure Management), mandates network segmentation and traffic filtering between network segments.

Step 1: VLAN Segmentation on Managed Switches ($200-$1,500)

VLANs (Virtual LANs) are the cheapest, fastest win in network security. They let you split one physical network into multiple logical networks, each isolated from the others. You don't need new cabling. You don't need new internet connections. You need a managed switch and about 2 hours.

What to buy:

A basic managed switch with VLAN support starts around $200. The Ubiquiti UniFi Switch Lite 8 PoE runs about $110 and handles 4 VLANs. For larger offices, a UniFi Switch 24 PoE ($400) or a MikroTik CRS326-24G-2S+ ($200) gives you 24 ports with full VLAN tagging. These aren't enterprise-grade Cisco Catalyst switches at $3,000+. They're SMB hardware that does the job.

What to segment:

At minimum, create 4 VLANs:

  • Corporate LAN (VLAN 10): Workstations, laptops, trusted devices. This is where your staff works.
  • Server LAN (VLAN 20): File servers, application servers, domain controllers. Lock this down tight.
  • Guest WiFi (VLAN 30): Visitors, phones, untrusted devices. Zero access to internal resources.
  • Management/IoT (VLAN 40): Printers, cameras, smart TVs, building controls. These devices are rarely patched and get compromised often.

How to deploy this week:

  1. Log into your router or firewall and create the 4 VLAN subnets (192.168.10.0/24, 192.168.20.0/24, etc.)
  2. Log into your managed switch and assign each port to the correct VLAN based on what's plugged in
  3. Set up firewall rules: Corporate LAN can reach Server LAN on specific ports only. Guest WiFi can reach nothing internal. IoT can only reach the internet.
  4. Test: plug a laptop into a Guest port and try to ping your file server. It should fail.

This is a Saturday morning project. Total cost: $200-$400 if you need a managed switch. Zero cost if you already have one.

Real numbers: SMBs that segment their networks reduce breach impact by an average of 48%, according to IBM's 2025 Cost of a Data Breach Report. Containment time drops from 73 days to 29 days when segmentation is in place.

Step 2: IDS/IPS — See Attacks Before They Spread

VLANs create the walls. IDS/IPS puts guards at every gate. An Intrusion Detection System watches traffic and alerts you when something looks malicious. An Intrusion Prevention System goes further and blocks it automatically.

Snort 3 (Free, Open Source):

Snort is the most deployed IDS/IPS on the planet, maintained by Cisco. Snort 3 (released 2020, stable since 2023) is a complete rewrite with better performance and multi-threading. It runs on any spare Linux box or VM.

Deploy Snort on a machine with 2 network interfaces. Place it inline between your firewall and your core switch. Enable the community ruleset (free) or subscribe to the Talos registered rules ($30/month for individuals, $400/year for business). The community rules cover the top threats. The registered rules give you same-day coverage for new exploits.

# Install Snort 3 on Ubuntu 24.04
sudo apt install snort3
sudo snort -c /etc/snort/snort.lua -i eth0 --daq afpacket

Suricata (Free, Open Source):

Suricata is Snort's main competitor. It's multi-threaded by design, handles 10 Gbps on commodity hardware, and includes protocol parsing for HTTP, TLS, DNS, and SMB out of the box. If your office pushes more than 100 Mbps, Suricata will handle the load better than Snort.

Zeek (Free, Open Source):

Zeek (formerly Bro) is different from Snort or Suricata. It doesn't just match signatures. It builds a complete transcript of every network connection: who talked to whom, what protocol, what files were transferred, what SSL certificates were presented. When an alert fires from Snort, Zeek gives you the full context to investigate. It's the difference between "something bad happened" and "a workstation on VLAN 10 uploaded 47 MB to an IP in Russia at 3:14 AM."

Deploy Zeek on the same hardware as your IDS. Point it at a mirror port on your switch. Total cost: $0 for software. Hardware cost: $0 if you have a spare desktop. $500-$800 for a refurbished Dell OptiPlex or Lenovo ThinkCentre with an extra NIC.

What you get:

  • Snort/Suricata: Blocks known attacks (exploit kits, C2 callbacks, ransomware signatures)
  • Zeek: Shows you everything that happened before and after the alert
  • Together: Detection plus investigation capability on a $500 budget

Step 3: Network Access Control — Unknown Device? No Entry

VLANs segment the network. IDS/IPS watches for attacks. NAC enforces who gets on the network in the first place. Network Access Control checks every device before it gets an IP address. Unknown device? Guest network only, or blocked entirely.

PacketFence (Free, Open Source):

PacketFence is the leading open-source NAC. It integrates with your existing switches and WiFi access points using 802.1X, MAC authentication, or captive portals. When a device connects, PacketFence checks it against your policies. Compliant corporate laptop with the right certificates? Corporate VLAN. Unknown phone? Guest VLAN with internet only. Device missing security patches? Quarantine VLAN until it's updated.

Deploy PacketFence on a dedicated server or VM. It supports Ubiquiti, MikroTik, Cisco, HPE, Aruba, and most managed switches that speak SNMP or RADIUS. Full feature list: device registration portal, BYOD onboarding, compliance checks (AV running, patches current), automated VLAN assignment, and integration with your existing SIEM.

# PacketFence install on Debian/Ubuntu
wget https://packetfence.org/downloads/PacketFence-13.1.0.iso
# Deploy the ISO to a VM with 4GB RAM, 2 vCPUs, 40GB disk

Portnox (Cloud, $2-$5/device/month):

If you don't want to manage another server, Portnox CLEAR is a cloud-native NAC. No on-premise hardware. It uses certificate-based authentication and integrates with Azure AD, Google Workspace, or Okta for identity. Each device gets a certificate during onboarding. No certificate = no network access. Pricing starts around $2 per device per month for basic features. The full compliance and risk-scoring tier runs $5 per device per month. For a 30-person office, that's $60-$150 a month.

RADIUS with FreeRADIUS (Free, Open Source):

If you just need basic 802.1X authentication without the full NAC feature set, FreeRADIUS on a Linux box handles it. Configure your WiFi access points and switches to require RADIUS authentication. Users log in with their directory credentials. Unknown credentials get bounced to a guest VLAN. Total cost: $0 for software, about 4 hours to configure.

Cost breakdown for an SMB deployment:

Component Free/DIY Basic SMB Full-featured
Managed Switch $200 (8-port) $400 (24-port) $1,500 (PoE+)
IDS/IPS Hardware Spare desktop $500 (refurb server) $800 (new mini-PC)
IDS Rules Feed Free (community) $30/mo (registered) $400/yr (Talos)
NAC Software PacketFence ($0) Portnox ($60/mo) Portnox ($150/mo)
Total Year 1 $200 $1,360 $2,700

Quick-Win Audit: Find Your Exposure This Week

Before buying anything, audit what you already have. Most SMBs discover they're far more exposed than they realized.

The 6-point network exposure checklist:

  1. Map every device on your network. Run nmap -sP 192.168.1.0/24 from any workstation. Count the devices. If you find 50 devices and only 20 are staff computers, you've got shadow IT and orphaned IoT to deal with.

  2. Check if your guest WiFi can reach internal resources. Connect your phone to the guest network. Try to access \\fileserver\share or http://192.168.1.10. If it works, your guest network isn't segmented.

  3. Scan for open management ports. Run nmap -p 22,23,80,443,3389,8080,8443 192.168.1.0/24. Find printers, cameras, and switches with web interfaces exposed. These are attack surface.

  4. Check if any IoT devices are on the corporate network. Security cameras, smart TVs, thermostats, door controllers. If they share a subnet with your workstations, they're a pivot point. One unpatched camera is the attacker's entry to your entire network.

  5. Audit your switch's VLAN table. Log into your switch. Is there more than one VLAN configured? If the only VLAN is VLAN 1 (default), you have no segmentation.

  6. Test lateral movement yourself. From any workstation, run nmap -sS 192.168.1.0/24 and note which servers respond on ports 445 (SMB), 3389 (RDP), and 3306 (MySQL). If your receptionist's PC can reach your SQL server, attackers can too.

This audit takes 2 hours. It shows you exactly where you're exposed. The results will tell you whether you need VLANs first, IDS first, or both.

FAQ

Do I need all three (VLANs, IDS/IPS, NAC) at once?

No. Start with VLANs. They're the foundation, the cheapest, and the fastest win. Add IDS/IPS as step two once your zones are defined. NAC comes last because it's the most complex to tune. A 5-person office with VLANs and a basic IDS is dramatically more secure than a 50-person office with a flat network.

Will this slow down my network?

VLANs don't add latency. A properly-sized IDS/IPS on adequate hardware adds less than 1ms of latency. The main bottleneck is throughput: a basic Suricata instance on a $500 server handles 500 Mbps of inspection. If your internet connection is 100 Mbps, you'll never notice it.

Can I do this if I don't have an IT team?

VLAN setup takes an afternoon with YouTube tutorials. IDS/IPS takes a weekend to set up and about 2 hours a week to review alerts. NAC (PacketFence) takes a full weekend for initial setup, then mostly runs itself. If you're a solo business owner, hire an MSP or consultant for the initial setup and learn to review the dashboards yourself.

What if I use cloud apps and have no on-premise servers?

Network segmentation matters more if you're cloud-only because your endpoints are the only thing left for attackers to pivot through. If 15 laptops share a flat network, one phishing compromise exposes all 15. VLANs isolate each device group. IDS catches callbacks to attacker infrastructure. NAC blocks rogue devices. Cloud or on-prem, the perimeter moved to the endpoint. Protect it.

Conclusion

Network segmentation is not an enterprise luxury. It's a weekend project that costs between $200 and $3,000 and permanently reduces your breach impact. Start with the 6-point audit this week. If you find a flat network with guest WiFi touching your servers, you know what to fix first. Buy a managed switch. Set up 4 VLANs. Deploy Suricata on a spare machine. Lock down access between zones. Every hour you spend segmenting now saves weeks of incident response later.

Need help figuring out where to start? Visit consult.lil.business for a free cybersecurity assessment. We'll map your network exposure and give you a prioritized action plan, no obligation.

References

  1. NIST SP 800-207 — Zero Trust Architecture
  2. CIS Controls v8 — Network Infrastructure Management
  3. PacketFence Open Source NAC — Deployment Guide
  4. Snort 3 IDS/IPS — Official Documentation
  5. Suricata — Open Source Threat Detection Engine
  6. Zeek Network Security Monitor — Documentation

Why You Might Be Wasting Money on Fancy Robot Helpers You Don't Need

TL;DR

  • According to McKinsey, fewer than 30% of businesses using AI have any clear way of measuring whether it's working [1]. That means most businesses paying for AI don't know if it's doing anything.
  • Free open-source AI tools have closed 80–90% of the performance gap with expensive paid tools for typical business tasks [2].
  • Five common AI money traps — and how to escape each one.
  • lil.business does a free AI spend audit to show you what's worth keeping and what's burning budget.

Imagine you hired five assistants to help with your business. But you never told them what to do. They just sat at their desks looking busy. You paid them every month. And at the end of the year, you had no idea what they'd actually done.

That's what most businesses' AI spending looks like right now.

A 2024 McKinsey report found that fewer than 30% of businesses using AI had any clear way of measuring whether it was working [1]. They had AI. They didn't know if it was doing anything.

Here are the five ways businesses waste money on AI — and exactly how to fix each one.

Waste #1: Paying for the Fancy Version When the Free One Does the Same Job

Think of it like a hammer. You can buy a $5 hammer or a $200 "professional" hammer with titanium handles. If you're hanging a picture, both drive the nail in fine.

Many AI tools work the same way. According to Andreessen Horowitz's 2024 AI infrastructure report, free open-source AI models have closed 80–90% of the performance gap with expensive paid models for typical business tasks — summarising documents, answering questions, drafting emails, sorting files [2]. The remaining 10–20% gap only matters for very specialised work.

So if you're paying $50/month for an AI writing tool to draft routine emails, there's a very good chance a free open-source model running on your own laptop does the same job at zero ongoing cost.

Fix: Before renewing any AI subscription, ask: "What exactly does this do?" Then ask: "Is there a free version that does the same thing?" Most of the time, there is.

Related: The $0 AI Stack — Free Robot Helpers for Your Business

Waste #2: Sending Your Business Secrets to Someone Else's Computer

When you use cloud AI tools like ChatGPT or Google Gemini to process your business documents, those documents travel across the internet to company servers — typically in the United States [3][4].

For sensitive business information, that creates real privacy obligations under the Australian Privacy Act 1988 [5]. Gartner predicts that by 2027, 40% of enterprise AI deployments will shift to on-device or on-premises inference driven by data sovereignty concerns [6].

The alternative — AI that runs on your computer, in your building, where nobody else can see it — is available for free.

Fix: Ask whether the AI tools you use are sending your data outside your business. If yes, and if that data is sensitive, look at local options. lil.business can help you figure out what's safe in the cloud and what should stay local.

Waste #3: Buying AI Without Knowing What Problem You're Solving

This is the most common mistake. Someone heard that AI is important. They signed up for three AI tools. They don't know if any of them are helping.

Here's the test: Can you complete this sentence? "Before we got this AI tool, [task] was taking [time/money]. Now it takes [less time/less money]."

If you can't fill in those blanks, you don't have ROI. You have a subscription.

Harvard Business Review found that companies with formal AI ROI measurement frameworks were 3× more likely to report positive returns from AI investments than those without [7]. The measurement doesn't need to be complicated. It just needs to exist.

Fix: For every AI tool you're paying for, write down what it was bought to do, how much time it saves, and what it costs. If the savings are less than the cost, cancel it.

Waste #4: Hiring Consultants Who Recommend the Most Expensive Tools

Some AI consultants get paid a cut when you buy the tools they recommend. That means they have a financial reason to recommend the expensive ones — even when a free option would work just as well.

Deloitte's 2024 Technology Consulting Trends report identified vendor lock-in enabled by consultant incentive structures as one of the top three drivers of wasted enterprise technology spend [8]. The same pattern plays out at SMB scale every day.

A good AI consultant starts by asking: "What problem are you trying to solve?" A bad one starts by saying: "You need [specific expensive product]."

Fix: Ask any AI consultant up front: "Do you receive any referral fees from the tools you recommend?" If yes, or if they won't answer, be cautious. lil.business doesn't take referral fees — we recommend what's right for you, not what earns us a commission.

Waste #5: Buying AI Tools Your Staff Never Use

The most expensive tool is one that sits unused. McKinsey found that AI-augmented knowledge workers are 20–40% more productive on tasks where they actively use AI assistance [1]. If nobody's using the tools, you're getting 0% of that uplift while paying for 100% of the subscription.

Gartner similarly found that adoption and usage rates — not model capability — are the primary predictor of AI ROI in SMB deployments [9]. The best AI in the world is useless if it stays unopened.

Fix: When you bring in any new AI tool, spend time showing staff specifically how it helps them. Build a small library of the five most useful ways to use it. Don't hand people software — show them how it makes the boring parts of their day disappear.

The Quick Self-Check

Answer these five questions honestly:

  1. Do you pay for AI tools you can't measure the value of?
  2. Are you sending sensitive documents through cloud AI?
  3. Did you buy AI tools without tracking what they were supposed to improve?
  4. Did your AI consultant show you a specific tool before understanding your business?
  5. Are there AI tools your team rarely touches?

1–2 yes: You're doing okay. Review the high-cost items. 3–4 yes: Real waste happening. Start with your most expensive tool. 5 yes: This is worth a proper review with lil.business.

FAQ

How do I know if I'm overpaying for an AI tool? If you can't name a specific task it's making faster or cheaper — and measure that improvement — you're probably overpaying. Companies with formal ROI frameworks are 3× more likely to see positive returns [7].

What's the difference between free AI and paid AI? For most everyday business tasks, not much. Open-source models handle document summarising, email drafting, classification, and data extraction at a quality level very close to the expensive paid tools for typical SMB workloads [2].

Is it risky to use AI tools that are free? Not if they're well-established and actively maintained. Tools like Ollama, n8n, and Chatwoot are used by thousands of businesses worldwide. The risk is in poorly-maintained tools — not in open-source as a category.

How much should I be spending on AI for my business? A rough guide: your AI spend should deliver at least 3× its cost in measurable value. Spending $500/month means pointing to $1,500/month in time saved or revenue generated [1].

References

[1] McKinsey & Company, "The State of AI in 2024: GenAI Adoption Spikes and Starts to Generate Value," McKinsey Global Institute, May 2024. [Online]. Available: https://www.mckinsey.com/capabilities/quantumblack/our-insights/the-state-of-ai

[2] Andreessen Horowitz, "The State of Open Source AI," a16z Research, Oct. 2024. [Online]. Available: https://a16z.com/the-state-of-open-source-ai/

[3] OpenAI, "API Pricing," OpenAI, 2024. [Online]. Available: https://openai.com/pricing

[4] Google, "Gemini for Google Workspace Pricing," Google, 2024. [Online]. Available: https://workspace.google.com/intl/en/pricing/gemini/

[5] Office of the Australian Information Commissioner (OAIC), "Privacy and AI: Australian Privacy Act 1988 Obligations," Australian Government, 2024. [Online]. Available: https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/privacy-and-technology/artificial-intelligence

[6] Gartner, "Predicts 2025: Artificial Intelligence Infrastructure and On-Premises Inference," Gartner Research, Nov. 2024. [Online]. Available: https://www.gartner.com/en/documents/ai-infrastructure-predictions

[7] Harvard Business Review, "Making AI Investments Pay Off," Harvard Business Review, Sep. 2024. [Online]. Available: https://hbr.org/topic/subject/artificial-intelligence

[8] Deloitte, "2024 Technology Consulting and AI Adoption Trends," Deloitte Insights, 2024. [Online]. Available: https://www2.deloitte.com/global/en/pages/technology/articles/technology-consulting-ai-trends.html

[9] Gartner, "Key Factors in AI Adoption Success for SMBs," Gartner Research, 2024. [Online]. Available: https://www.gartner.com/en/small-business/insights/ai-adoption

Want to save money with AI? Let lilMONSTER show you how.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation