The best way is to implement WPA2 encryption on the access point with a hard to guess key and activate MAC address filtering. The downside of this is that you have to then put in each of their MAC addresses in the AP and each user has to implement the key in his laptop. You could opt to not do the MAC address filtering, but I'd definitely do the WPA2.
Now, all this does is just encrypt the traffic and potentially block out wireless hackers. To really protect yourself from malware infections, you need to know how the users are protecting their laptops and you need to be running good quality antimalware solutions on your network.
This is apparently not an option for you, but our policy is to not allow any non-company laptops onto our network. In our situation there is no reason for a non-company person to ever get on our network. If they need access to the Internet, we have set up an open wireless connection that talks directly to the Internet, but has no connection at all to our network.
