The cliché is that if your firm does experience a hack, it will be by guys parked outside in a suspicious van with dark-tinted windows.

The reality is that the carrier of a malicious virus, malware or ransomware could be...you. Or your spouse, bringing your lunch. Or your “smart” thermostat.

If you don’t adequately insulate whichever WiFi network carries your most critical information, crippling malware can infiltrate it, originating from anything that accesses the Internet. So if a visitor to your firm, who unwittingly downloaded malware onto their iPhone weeks earlier, taps that phone into your WiFi network, that malware can kick open the door to hackers.

Consider Krack, a devastating new flaw in the widely used WPA2 network. Experts are scrambling to update their systems and close the breach, which allows hackers to infiltrate password-protected wireless networks. This vulnerability has exposed nearly all modern, protected Wi-Fi networks and most devices that use them.

Firms and corporations alike are realizing that they were never as safe as they thought they were.

Take a lesson from Target’s notorious hack in 2013. A hacker stole network credentials of an employee of Fazio Mechanical Services, a refrigeration, heating and air condition subcontractor that serviced a number of Target locations. The hacker was able to hop from the heating, ventilation and air conditioning (commonly known as HVAC) system into the retailer's payment network, and install software on most of the registers during the holiday season. The hackers got away with information from 40 million shopper credit and debit cards and Target settled for $18.5 million.

Here’s another scenario: On the way to the office, one of your employees uses her smartphone while riding in a newer, Wi-Fi- equipped Uber — and unwittingly picks up malware that will infect your whole network before her first coffee break.

Oftentimes, compromised devices don’t show any signs they’ve been jeopardized. Well-intentioned employees can tank a firm by creating a path for hackers to jump from infected devices to company computer networks that contain valuable data. It’s more important than ever that firms segment their networks. If Target had completely separated its climate control network and payment network, the hacker couldn’t have weaseled his or her way into customer data.

To put it another way, when the wireless network that an employee uses to stream an NFL Game on his tablet is the same network that contains all of your valuable data, the hacker will be the one scoring the touchdown.

The fix

To inoculate against these attacks, firms setting up their Wi-Fi must keep at least two networks: One, the production Wi-Fi network where you have full control and monitoring for all computers, servers, and company owned devices; the other, a guest network for iPhones, visitors, internet connected devices, Amazon Echos, etc.

Your employees can use the latter to scroll Facebook, check personal emails, etc. That way, if their personal phone is compromised because they either accessed an infected network elsewhere or opened a tainted link, hackers won’t be able to jump to the network where essential data and working systems live.

It’s always a possibility that the guest network may become compromised and a security risk for anyone who uses it, but you won’t have a Target-sized cyber crisis on your hands.

Segmenting networks only works, however, if infected devices don’t come in contact with the production network. That means employees have to be extremely careful to either not use, or use wisely, personal devices on the production network for work purposes and vice versa.

You can’t be certain your employees’ Internet-connected devices have the necessary level of vetting and security software that your work devices do. Even remotely accessing email servers or client databases from an infected phone can give hackers an in.

My recommendation is not to allow any employee-owned devices to access your production network or your company data, including email, unless your employees have agreed to having your security and monitoring software installed on those devices. This includes home computers, cell phones and tablets.

Maybe that means doling out company phones, or providing and managing your company’s security software on employee-owned computers and devices. Sure, it won’t be free or as simple as doing nothing; however, firms that lose private customer data end up in a world of hurt.

So don’t let strangers in your house! But if you must, make sure you do a thorough vetting first and you monitor them while they’re inside.

But ultimately, you’re safer if they stay in the guest house.