Could an employee or anybody else having access to your premises plug a device into your network - say a Wi-Fi hotspot or a thumb drive - and open your network to outsiders?
Not under our watch. Only devices with authorized MAC addresses and with a corresponding static IP can access your network.
If third-party visitors or smart phone users need WiFi access while on your premises, they can use access points hooked-on to your internet connection(s), outside of your firewall perimeter.
Likewise with thumb-drives masquerading as keyboards to capture your credentials and send them to wrongdoers over the internet.
This cannot be done when adding or replacing a keyboard requires that you are logged-in, or an approval from a logged-in user.
The list of ploys and countermeasures goes on.