Apply a firmware password
Mac OS X/macOS turns on FileVault encryption by default nowadays, which means the entire boot disk is encrypted and impossible to access unless it's unlocked at login via the user's password. However, that doesn't stop somebody using a USB memory stick to boot the Mac and potentially wipe all the data from the hard disk, or simply reinstall OS X/macOS. The solution is to apply a firmware password. Unlike with a PC's so-called BIOS password, the Mac's firmware password prompt will only appear if anybody tries to boot your Mac in a non-standard way, which is to say, via a USB stick, or if they try and boot to the Recovery Console. Most of the time you won't see the password prompt.
In fact, it's from the Recovery Console that you'll need to activate the firmware password, so restart the computer and, just before the Apple logo appears, press and hold down Cmd+R. When the boot-time progress bar appears you can lift your fingers from the keyboard. Select your language and location when prompted, then click the Utilities > Firmware Password Utility menu item. Follow the instructions. Be extremely careful here! If you forget the firmware password then only Apple can unlock your computer. This is probably why this feature is optional!
Enable the guest user
If you know anything about computer security you might be wondering if we've gone mad: We're asking you to enable the guest user? Doesn't that let anybody who's stolen your Mac actually use it? Well, it's more that we're asking you not to turn it off, because it's a vital tool within the Find my Mac service, which is a part of iCloud that lets you attempt to track down a lost or stolen Mac. Apple says the following: "The guest account works with the Find My Mac feature of iCloud, which can help you find your Mac if you lose it. You can locate your Mac if someone finds it, logs in as a guest, then uses Safari to access the Internet."
So, don't turn it off the Guest account if you have Find my Mac enabled in iCloud (to check, open System Preferences, click the iCloud icon, and then ensure there's a check alongside Find My Mac at the bottom of the list at the right).
Disable the FileVault "Security Hole"
Those who take computer security very seriously indeed point out that, when your Mac enters sleep mode (if you close the lid of a MacBook Pro, for example), there's a potential security hole in the fact that the password required to decrypt FileVault is stored in memory. In theory somebody could wake the computer and somehow - and we genuinely don't know how - retrieve this key, and thereby have access to the entire disk's contents without the need for a login password.
Sign up for CIO Asia eNewsletters.