Some thoughts.
Anything capable of running software of sorts, beit your computer, firewall, mobile phone, printer, photocopier, TV's, vehicles's etc with the ability to update it with new versions of software has the potential to be hacked.
With that in mind, the next question is how easy is it to update? TV's can be updated over the air, some vehicles & phones similarly; now in the case of computer networks, you need to isolate everything otherwise something like stuxnet & other rogue software can be hiding in your network printers or photocopiers or switches.
One way is to isolate everything into its own unique sole vlan with firewalls blocking everything thats not permitted.
Permission should only be granted when you want to, like for example allowing access to update sources during dates & times of your choosing, none of this allowing anything to touch base unneccesarily like windows desktops phoning home to MS in the US when you log on for example, same for switches.
Bear in mind all isp routers and firewalls all have a default allow out to the net rule including pfsense, what an easy way to walk out with your data.
Audit all PC's where possible so you know what the contents of your computers hd's are frequently becuase the flaw with AV software is simply this, the AV companies need to find the virus first before they can add it to their signature database of known viruses. In other words your AV software can not protect you unless the AV company has found the virus.
For point of reference, AV companies can spot variations of the same virus automatically in most cases which are the updates we receive hourly, daily weekly etc, its the new viruses that can take weeks, months, years to reverse engineer before they consider something a virus or not and thats before we get into polymorphic software.
Bear in mind its entirely possible for app stores including MS updates to serve unique files just for you if you want to be really paranoid and how do you know that dll coming down the wire is what it says it is?
Bear in mind its also possible to hide software in the less used parts of spin disks which no longer get formatted when reinstalling your windows OS as it does a quick NTFS format which just resets the FAT (disk index) not blank the contents (the chapters of the book).
Log all traffic data in and out and have something to analyse the data so it flags up anomalies or unaccountable network traffic. Get to know the data patterns by day, week, month & year much like you would know when your car is not running quite right.
In some cases block ssl traffic out of your machine as you dont know what data is being lifted/sent that could incriminate you, even your windows os tracks the files like what you send to the recycle bin and that is part of the forensics built into windows.
Be careful of Google, its very machiavellian and will serve you data which can land you in court, be careful of websites you visit as some dont allow you to report questionable data, again setting you up for a fall if the authorities so desire.
Work on the basis if you can think it so can they, but they will have beaten you to it in ways to access that data, and remember a request from one country to another is not always immediately illegal except where the conspiracy to commit a crime is punishable like here in the UK, which means every request GCHQ sent abroad to foreign spooks is commiting a crime even though they like to portray they dont break the law, dontcha believe it. They will even employ phishing techniques in major online news media via comments and other websites to find out the information they want to know like how easy it is to evade their detection. ;D
FWIW.