Mac OS X is inherently secure but there are a handful of steps you can take to tighten things even further
The firewall defends your Mac against unwanted incoming connections from the Internet.
Check to ensure the firewall's enabled by opening System Preferences and selecting the Security & Privacy option. Click the Firewall tab and ensure it reads Firewall: On. If not, click the Turn On Firewall button.
Macs don't have outgoing firewall protection, as offered by apps like Zone Alarm on Windows. Outgoing firewalls notify you when apps send data and let you block them, which can stop hackers stealing files, for example. Little Snitch (US$34.95) provides an inexpensive and user-friendly outgoing firewall.
All Macs running OS X Mountain Lion (and OS X Lion from 10.7.5 onwards) block software that hasn't been digitally signed - a process in which Apple approves the developer. This leads to the familiar error message when you try to use or install unsigned software: "[this app] can't be opened because it is from an unidentified developer."
The system at work here is called Gatekeeper and can be controlled via the Security & Privacy section of System Preferences - select the General tab and choose from the options underneath Allow Applications Downloaded From. To turn it off, click Anywhere.
Leaving Gatekeeper switched on is a good idea, however, and you can bypass its protection when needed -- assuming you're sure an app or installation package is safe, just hold down Ctrl, then click it and select Open. This will mark it as being trusted.
The most serious recent Macs threats, such as the Flashback trojan, have exploited bugs in Java. The simplest fix is to avoid installing Java. Sadly, if it's already installed then removing it is next to impossible. Additionally, some apps rely upon it - certain components of LibreOffice, for example. You can block Java applets running in your browser, however, which is the main attack route. In Safari, open Preferences (Cmd+comma) and click the Security icon, then uncheck Allow Java. In Google Chrome, type about:plugins in the address field, then click Disable under the Java entry in the list. In Mozilla Firefox, click Tools > Addons, then click Plug-ins in the list on the left, and the Disable button alongside the Java entry.
Other threats attack via the Adobe Flash browser plug-in. Disabling this is perhaps unrealistic bearing in mind many popular sites rely upon it, but you can use plug-ins like FlashBlock on Chrome or Firefox to stop any Flash on a page running automatically until you click it. ClickToFlash does the same on Safari.
Whether Macs need an antivirus is still open to debate, but increasing numbers of Mac owners feel the need to install one - so much so that in 2011 one of the biggest Mac malware infections was via a fake antivirus app called MacDefender.
Sophos Anti-Virus for Mac Home Edition offers always-on virus protection for free, meaning that the app sits in the background and immediately alerts you should an infection take place.