A local coffee shop called me in to run a new wire for their point of sale system. First time I had ever met them. Simple enough job, and I was there to do exactly that.
While I was tracing the run, I started looking at what everything connected to. One Spectrum combo device. POS system, staff computers, and guest wifi, all sharing the same network with nothing separating them.
I finished the wire. But before I left, I told them I needed to mention something even though it was outside the reason they called me. I did not know them, it was our first conversation, and I was not there to sell them anything. I said it anyway, because I could not professionally walk out the door without it.
What I explained to them is what I am about to explain here.
The device your ISP installs when they set up your service is designed to get a location online. It does that job adequately. What it cannot do is act as a real firewall, enforce rules between network segments, or create any meaningful separation between your payment environment and everything else on the connection. It was never built for that purpose.
The Payment Card Industry Data Security Standard, which most people know simply as PCI compliance, has a specific term for what they had: a flat network. The standard is direct about what that means. Without segmentation, your entire network is in scope for a PCI assessment. Every device, every connection. The standard requires firewall controls between your payment systems and other traffic. A consumer combo unit does not satisfy that requirement.
The practical risk on a flat network is lateral movement. A compromised guest device, or someone who knows what they are doing, can potentially reach other devices on the same network, including your POS terminal, your patient records, your client files, your financial accounts. The network does not know the difference between a guest checking Instagram and someone looking for something they should not find. It just routes traffic.
PCI is not the only framework with something to say about this. HIPAA has equivalent expectations around how patient data is handled and protected. State bar rules for attorneys are moving in the same direction. Any business where confidentiality is not optional is operating under some version of this same obligation, whether they know it or not.
This is not theoretical. The 2013 Target breach, which cost the company over $200 million in settlements alone and ultimately ended the CEO’s tenure, became a catastrophe specifically because of this kind of network boundary failure. Attackers entered through a third-party vendor’s access point and moved laterally until they reached cardholder data. The segmentation that should have stopped them did not exist. Target had a full IT department. The coffee shop on your corner has a Spectrum box. The mechanism is identical regardless of scale.
I included a note about all of this with their invoice, along with specific recommendations, because finding the problem and saying nothing more about it felt like only doing half the job.
Here is the part that tends to surprise people. Fixing this is not a large project. A commercial-grade firewall at the perimeter and a managed wireless access point that genuinely isolates staff and guest traffic is the core of what changes. The cost is modest, the installation is not disruptive, and the difference between having it and not having it is the difference between a manageable environment and one where you are hoping nothing goes wrong.
Most businesses inherited their network setup from whoever installed it first and never revisited it. The setup that felt fine five years ago is running in a different threat environment today. A conversation and a walkthrough is usually enough to know where you stand.
That is a much easier thing to do than lying awake wondering.
Until next time, keep IT simple.
Dave
Want to go deeper on what an unsegmented network actually exposes you to
