raise the drawbridge
and remember that most organisations of any size have at least three IT operations: production, test/development, business administration - and that these should never be allowed to meet.
You really don't want people who work on one of these to act as a bridge to any other. If that means having two PCs (neither with any USB ports) on a desk, then make it so. But if you want to stop contamination spreading and to protect, or at least slow down attacks, your production - revenue earning - systems, then you need barriers between them.