---
id: "action-architect-data"
type: "action-item"
source_timestamps: ["¶11"]
tags: ["data-management", "ransomware-defense"]
related: ["concept-data-architecture-for-security", "claim-backups-defeat-ransomware", "prereq-ransomware-mechanics"]
action: "Back up data, tag it using software, and restrict access to necessary personnel only."
outcome: "Neutralizes ransomware leverage and limits internal/external data exposure."
speakers: ["Daniel Dobrygowski"]
sources: ["governance"]
sourceVaultSlug: "hbr-seg-governance"
originDay: 7
articleStem: "hbr-sig-57-smb-cyber-risk"
sourceUrl: "https://hbr.org/2026/06/ai-is-changing-cyber-risk-heres-how-smbs-can-respond"
sourceTitle: "AI Is Changing Cyber Risk. Here’s How SMBs Can Respond."
---
# Architect and Restrict Data Access

**Action:** Back up all organizational data to neutralize ransomware threats ([[claim-backups-defeat-ransomware]]). Adopt software tools to inventory and tag data, and implement the principle of least privilege by limiting data access strictly to employees who need it for their roles.

**Outcome:** Neutralizes ransomware leverage (availability) and limits internal/external data exposure.

**Where it fits:** Step 3 ("Architect your data") of [[framework-dobrygowski-smb-cyber-defense]]; the operational form of [[concept-data-architecture-for-security]]. Requires [[prereq-ransomware-mechanics]].

> [!warning] Backups aren't the whole story
> Backups defeat the *availability* leverage of ransomware but not the *confidentiality* leverage of double/triple extortion (exfiltrate-and-leak). Segment and protect the backups themselves, and add data minimization plus legal/PR planning.
