Are the apps all accessed via a browser?  Could you put a block on all access attempts that don't originate from the web server or IT computers?

If the apps connect via ODBC and use standard SQL authentication, do the users know the password to get them through the ODBC connection?

I would also take the political route and have amending data outside of an application a disciplinary offence for unauthorised staff.