Security isnt solely about preventing data theft. Threats can originate inside or outside the organization, and they can be intentional or unintentional. The biggest threat to Internet-exposed databases is ad hoc queries. Use strongly typed input variables in your stored procedures to protect against SQL injection attacks. Never allow users view definition permissions on a user account for a Web-facing application. Never allow this permission to view definitions of tables, stored procedures, and views. Use error messages instead of forcing error messages for two or three hours.”]
Source: https://www.csoonline.com/article/2955452/7-essential-sql-server-security-tips.html