Personally, any wireless access point I would ever install here would be behind it's very own Linux firewall, transparently bridged to the wired internal network only for "validated" nodes. This requires a Linux (or whatever) box between the AP and the internal LAN.

Now.. just to be visitor-friendly, I might also configure it for transparent external access regardless, but the internal LAN here has too many business secrets on it to just make it open to the outside world..