Defense in depth - protect your perimeter, segregate your network, protect your endpoints. Use all the elements of the Trustsec architecture you can - i.e. Security Group Tagging etc.
Develop, implement and enforce a BYOD policy to limit what gets on your network and what it can access. A product like Cisco ISE does this quite well.