The first rule of protecting sensitive data on your computer is to always know where it is, and who has access to it at all times. No matter what security measures put in place, an individual with enough technical knowledge, and time, can usually bypass most of these countermeasures. Our goal, is to make this as absolutely difficult as possible. With a combination of security efforts, only an extremely advanced computer user with a very long amount of time with unobstructed physical access to your machine will be able to access any of your data.
Let's start off with the basics. I am going to assume you are at least using a still supported version of OS X on your Mac (10.9 Mavericks or higher). You of course, want to set up a password to protect access to your administrator account. For maximum protection, create a password at least ten to twelve characters long, with at least one capital letter, number, and symbol. Create something truly unique, that won't be guessable by anyone. During my time fixing computers and removing passwords as part of my job, I have come across countless bad passwords, that are easily cracked. "Password," "P@ssw0rd," "123456," and "654321" don't make for good passwords. Neither does passwords that are based from personal information that someone could glean, such as your date of birth, husbands/ wife's name, girlfriend/ boyfriends name, last name, your pet, or where you were born. Also, while you are at it, delete the "Guest" account if it is enabled, by going into Users & Groups in System Preferences. In the Security and Privacy section of System Preferences, be sure to require a password immediately after sleep or screen saver begins, and setup a screen saver or have the computer lock after a specified amount of time while not in use.
|FileVault in OS X 10.11|
Next step is to enable an "Open Firmware Password." This prevents an unauthorized person from booting to an external disk that can be used to crack your passwords and encryption, and from booting into Super User mode, which opens a super-user or admin level terminal that can be exploited to remove your pre-existing password or remove your account entirely. The "Open Firmware Password" essentially requires the input of another password to do anything other than boot to your already password protected and encrypted account. For added security, I recommend choosing an entirely different password or a variation of your login password when setting up the Open Firmware Password. While the methodology for setting this added layer of security is a bit more complex than the aforementioned procedures, it is still relatively straight forward. Either boot into your Mac's built-in recovery partition, or create a bootable OS X installer disk to boot off of. Once inside the recovery, choose "Open Firmware Password" from the "Utilities" drop-down menu. This is another case of absolutely, DO NOT forget your password. If you have a newer Mac such as an Air, Retina Pro, or the new MacBook, there is no way to reset your Open Firmware Password aside from going to the Apple store if you forget it (and you will have to provide evidence that you are the original computer user to get the password lifted.)
|Firewall settings in OS X 10.11|
Now for online anonymity. A paid VPN is the best way to remain as anonymous as possible when surfing the web. I have tried free VPN's, and they simply are not reliable and require a decent amount of fiddling in System Preferences. Private Internet Access offers extremely reasonable prices, and integrates perfectly with OS X. A VPN routes your web traffic through a protected tunnel and through several different servers. It also encrypts your traffic with selectable 128-bit or 256-bit AES encryption, and obfuscates your computers original IP address with an anonymous one. This makes it much more difficult for ISP's and government surveillance agencies to ascertain the type of data being sent to and received from your computer, as well as the location of your machine geographically. All they see is undeterminable data that's encrypted. Keep in mind however, that the NSA essentially pioneered electronic data encryption, and they can certainly break it given enough of an inclination to do so. A VPN still add's a substantial privacy blanket to your online activity however, and has the added benefit of encrypting all of your web traffic if enabled, which is handy when you are surfing on unprotected public wifi. In addition to a VPN, you can also opt to use the Tor browser for Mac, which routes all of your searches and web content viewed on the browser through the Tor network. The NSA has proven that it has the ability to de-anonymize Tor users, but combining Tor and a VPN would make de-anonymization relatively tricky. The only downside of Tor is that it significantly slows down your connection, and is not suitable for P2P situations or downloads, but rather light browsing and reading.
Through a combination of these methods and software, you have created a very resilient and hard to crack system that protects your data and your online anonymity. Of course, no computer system and security is infallible, but your Mac will certainly be far more secure than the average computer. The good news is that OS X is a UNIX based operating system and thus has far less virus and infection issue's than a Windows machine. There is still antivirus software available for the Mac, my two favorite being Malwarebytes for Mac and Avast! Mac Security. I would recommend both if you are concerned about the rare possibility of getting a serious infection. Both are free, Avast will actively protect your system from infections and has added paid features such as security browser plug-ins to redirect you away from phising and virus infected websites. Malwarebytes is a removal tool for removing viruses, malware, and trojans that may have crept onto your system. Avast has virus removal tools as well. I personally keep both on my system, but in my twelve years of using a Mac, have never once gotten a virus on my system.
The first line of defense is always to be careful about what you download and the sites you visit, as well as restricting physical access of your machine to people you don't trust. Also, don't ignore those OS X security updates for too long. If you have a Mac laptop with all of the aforementioned security steps put in place, you can rest assured that it's highly unlikely that your personal data is in peril if it's lost or stolen. Furthermore, if your Mac is tied to an iCloud account, you can track it's location via GPS, and assuming it's connected to the internet, remotely wipe the machine or lock it with a 6-pin passcode (creating a lock over a lock over a lock, at this point!). Using these methods, your Mac can become an extremely well protected system that you can feel safe storing personal or customer data on. Through the combined use of these methods, you will have essentially "Fort-Knoxified" your Mac.
Private Internet Access Website
OS X Daily: Set Firmware Password