In my opinion, you should definitely disallow any direct connections to your NAS from Internet (including port forwarding).
However, it depends on the data you have there. So there are 2 options:
If it is meant to be a kind of public server, that you and your friends/other people are intended to use, then fine, keep it connected and concentrate on making it more secure.
But if you store there any kind of confidential data, and loss of confidentiality, availability or integrity could be harmful for you - just disconnect it immediately. Immediately means right now, cause the risk your NAS could be hacked and your data leaked could be too high (again, depends on your own evaluation on what will happen to you if your data stored on NAS is leaked/modified/deleted, and how bad it is for you).
In the second case, securing your NAS will not really solve the problem, because it will stay a single point of failure/entrance. Even if you configure it properly, with two- or even three-factor authentication, firewall, etc., and even if your system is up to date there could be still just a zero-day vulnerability of a properly configured and protected service on your NAS. Like Heartbleed (see How to explain Heartbleed without technical terms? and How exactly does the OpenSSL TLS heartbeat (Heartbleed) exploit work?). When Heartbleed was zero-day, and people had web server with SSL (HTTPS) listening, even if it was properly configured - it could be still hacked, without any alerts in the logs and so on, and the attacker does not need to authenticate at all.
Or another example more relevant for NAS maybe: https://www.kb.cert.org/vuls/id/615910. Imagine the time when this vulnerability was zero-day. Then, if you have your Synology NAS with web server connected to Internet, it will "allow a remote unauthenticated user to append arbitrary data to files on the system under root privileges", which implies that the remote attacker could "execute arbitrary code" (http://www.cvedetails.com/cve/CVE-2013-6955/). Even if you restricted an access to your web server in a proper way - it will not help in this case, because it is vulnerability of the server itself.
So what to do?
Place your NAS behind a router, and configure VPN server on the router. Then, to access your NAS, you need (1) to connect via VPN to your home network and (2) to authenticate on the NAS itself. So now, to access your data, someone should first hack your router, and then hack your NAS. If router has different software running, it means that an attacker now needs 2 zero-day exploits instead of 1 if you have configured everything properly and update it regularly. This measure adds one more protection level and makes it much harder to get to your data on NAS for an attacker.
Of course, now it is more complicated to you to access your files as well, but this is a price of higher security. You need to spent both time and money (to buy VPN-capable router, probably pay for static IP address if it is available (or even switch a provider), configure it, etc.). Then you can only connect to VPN if you have a client installed. To make it a little bit easier, you could, however, search for Clientless VPN solutions.