Couple of things.

- if you can avoid deploying wireless at all, do so

- if you must deploy wireless, here are few tips:
- do NOT put the WAP on your internal network, hang it off of a DMZ on your firewall and require users to VPN into your network once they've connected to the WAP
- DO use WEP, it's weak, but every little bit helps (think defense in depth)
- DO use MAC address filtering (again, defense in depth)
- Once you've got the network set up, take your own laptop and walk around the building to see how far your radio signal reaches. Limiting the signal strength is beyond the scope of a simple forum post, but at least knowing how far you've just extended your network will make you aware of your exposure.
- get your hands on a WAP that supports WPA (basically WEP with TKIP)

Those are some quick points off the top of my head.

--Ben