---
id: "concept-data-architecture-for-security"
type: "concept"
source_timestamps: ["¶11"]
tags: ["data-management", "access-control", "ransomware-defense"]
related: ["action-architect-data", "claim-backups-defeat-ransomware"]
definition: "The structuring, tagging, backing up, and access-restricting of organizational data to minimize the impact of breaches and neutralize ransomware threats."
sources: ["governance"]
sourceVaultSlug: "hbr-seg-governance"
originDay: 7
articleStem: "hbr-sig-57-smb-cyber-risk"
sourceUrl: "https://hbr.org/2026/06/ai-is-changing-cyber-risk-heres-how-smbs-can-respond"
sourceTitle: "AI Is Changing Cyber Risk. Here’s How SMBs Can Respond."
---
# Data Architecture for Security

Treating data organization as a primary cybersecurity vector rather than a purely operational concern. The source defines three core pillars:

1. **Comprehensive backups** — back everything up to eliminate the leverage of ransomware attackers ([[claim-backups-defeat-ransomware]]).
2. **Inventory and tagging** — use software tools to catalog and tag all organizational data so you know what you hold and where.
3. **Least-privilege access controls** — restrict employees to only the specific data sets required for their roles (the principle of least privilege).

This concept is executed via [[action-architect-data]] (step 3 of [[framework-dobrygowski-smb-cyber-defense]]) and depends on the reader understanding [[prereq-ransomware-mechanics|how ransomware works]].

> [!note] Enrichment nuance
> This is strongly aligned with mainstream security architecture — zero trust, identity-centric defense, and data-centric security. Least privilege is core to NIST guidance (SP 800-53 / 800-171); data classification and discovery tooling improve visibility and protect "crown jewels"; segmented, immutable backups reduce ransomware blast radius. **Key limit:** backups defeat the *availability* leverage of ransomware but not the *confidentiality* leverage. Modern campaigns use double/triple extortion (encrypt + exfiltrate + threaten to leak/DDoS), so data architecture must be paired with data minimization, segmentation, and legal/PR planning — see the counter-perspective in [[claim-backups-defeat-ransomware]].
