Let's say this is a business. Your IT staff should know to implement a logon with a domain or AD server so even if they plugged in they don't have an account and are locked out. You can also implement a physical security on the lan connection. Lock it up with lock boxes and more.

If your IT staff can't do this, they may be at risk of an early termination. Not to sound cruel but why would a company hire such staff?
Bob