CertPrepNow
MicrosoftSC-7304 domains

SC-730 Exam Notes

Last-minute traps, must-know facts, and scenario tips for the Microsoft Certified: Cybersecurity Business Professional exam.

General Exam Tips

  • 1.Read every question from the perspective of a non-technical business employee, not an IT administrator. The correct answer is almost always 'report to IT' rather than 'fix it yourself.'
  • 2.Watch for qualifiers: 'FIRST,' 'BEST,' and 'MOST appropriate' signal that multiple answers are partially correct. Pick the one that is most immediate, least risky, or most aligned with policy compliance.
  • 3.58 questions in 60 minutes of actual exam time — that is just over 1 minute per question. Do not dwell. If you are unsure, flag it and move on.
  • 4.When two answers both sound correct, ask: 'Which one keeps the employee out of the investigator role and involves IT?' That one is almost always right.
  • 5.The exam is vendor-agnostic. Eliminate any answer that references a specific Microsoft product like Defender, Entra, or Purview — those are SC-900 answers, not SC-730 answers.
  • 6.When a scenario describes an urgent financial request or unusual executive instruction, the correct answer always involves verification through a separate known channel before acting.
  • 7.Every form of phishing — email, SMS, voice call, QR code — follows the same answer pattern: do not click/respond, report to IT, warn colleagues through proper channels (not by forwarding the message).
  • 8.The exam is still in beta (April 2026 launch, GA expected July 2026). Beta scores take 4–6 weeks to be released. Book early since beta slots are limited.
Domain 133% of exam

Understand Cybersecurity Risks and Threats

Must-Know Facts

  • Phishing variants on this exam: email phishing, smishing (SMS), vishing (voice/phone), quishing (QR code). All four are tested. The delivery channel changes, the attack pattern does not.
  • Social engineering techniques you must distinguish: phishing (deceptive digital messages), pretexting (fabricated identity/story built over time), baiting (enticing offer or physical item like a USB), tailgating (physical entry by following authorized person).
  • Malware infection indicators: system running unusually slow, antivirus suddenly disabled, unfamiliar programs appearing, browser redirects or new toolbars, files becoming inaccessible or encrypted, unexpected outbound network activity.
  • Insider threat indicators: accessing systems or data outside normal job role, downloading unusually large amounts of data, working odd hours with no explanation, expressing grievances while having access to sensitive systems, copying data to personal devices.
  • How to verify a suspicious request: always use a separate, previously established communication channel. If the request came via email, verify by phone using a known number — not a number provided in the suspicious email itself.
  • Red flags in digital communications: mismatched sender addresses (display name differs from actual domain), urgency or fear tactics ('your account will be closed in 1 hour'), generic salutations ('Dear Customer'), requests for credentials or payment, unexpected attachments, shortened or obfuscated URLs.
  • Public Wi-Fi risk: eavesdropping and man-in-the-middle attacks can happen on ANY shared network, including password-protected coffee shop networks. The risk comes from shared access, not the absence of a password. EXAM JUDGMENT: the correct answer for 'what should you do on public Wi-Fi' is always VPN + avoid sensitive activity — NOT 'confirm the network has a password' or 'ask the café staff for the official network name.'
  • Access controls for business users: least privilege means you request only the access you need for your role. If you need access to something new, request it through proper channels — do not ask a colleague to share their login.

Common Traps

TrapPhishing only comes through email
RealityThe exam covers smishing (SMS), vishing (voice calls), and quishing (QR codes) with equal weight to email phishing. If a question describes a suspicious text message or a phone call impersonating IT, it is still a phishing scenario and follows the same response: do not comply, report to security.
TrapA password-protected Wi-Fi network is safe
RealityA coffee shop or airport Wi-Fi with a password is still a public network. The password only restricts who can join — everyone on the network shares the same connection, enabling eavesdropping and man-in-the-middle attacks. Use a VPN and avoid accessing sensitive data on any public network.
TrapAn email from a known colleague cannot be phishing
RealityAttackers can spoof sender display names or compromise real accounts. A message appearing to come from your manager or a trusted vendor can still be phishing. If the request is unexpected, urgent, or asks for credentials or payment, verify through a separate known channel regardless of who appears to have sent it.
TrapInsider threats are always intentional and malicious
RealityCareless or negligent employees who accidentally expose data count as insider threats on this exam. An employee who emails a confidential file to their personal account 'just to work from home' is an insider risk, even without malicious intent.
TrapIf you did not click the phishing link, there is nothing to report
RealityReport phishing attempts regardless of whether you interacted with the message. The security team needs to know a threat is targeting your organization to protect colleagues, block the sender, and assess whether others have already been compromised.

Confusing Pairs

PhishingPretexting

Phishing = deceptive digital message (email/SMS/call) creating urgency to get you to click, submit credentials, or transfer money — usually a single interaction. Pretexting = attacker builds a fabricated identity and backstory over multiple interactions to earn trust before extracting information. Key exam tell: if the scenario describes an ongoing relationship or a fabricated role (e.g., 'someone claiming to be an IT auditor who emailed last week and now called'), that is pretexting, not phishing.

BaitingPhishing

Baiting = attacker lures victim with something enticing — a free USB drive left in a parking lot, a 'free software download,' or a gift offer — to get them to plug in malware or visit a malicious site. Phishing = uses urgency and impersonation. Key exam tell: if the lure is something free or appealing (not threatening or urgent), it is baiting.

TailgatingSocial Engineering

Tailgating is a PHYSICAL social engineering attack — following an authorized person through a secured door without using your own credentials. All other social engineering techniques on this exam (phishing, pretexting, baiting) are digital or communications-based. Key exam tell: if the scenario involves physical access to a building or secure area, look for tailgating.

VulnerabilityThreatRisk

Vulnerability = a WEAKNESS that exists in a system (unpatched software, weak password). Threat = the DANGER that could exploit that weakness (a hacker, malware). Risk = the LIKELIHOOD and IMPACT of the threat exploiting the vulnerability. Exam pattern: 'unpatched operating system' = vulnerability; 'ransomware group targeting unpatched systems' = threat; 'probability of ransomware infecting unpatched machines causing business disruption' = risk.

MisinformationDisinformation

Misinformation = false information spread WITHOUT deliberate intent to deceive. Disinformation = false information DELIBERATELY created and spread to manipulate or cause harm. Key exam tell: the INTENT distinguishes them. Deepfakes used to defraud someone = disinformation. Forwarding a false news story you genuinely believed = misinformation.

Scenario Tips

If the question asks about:

Employee receives a text message claiming to be from their bank asking them to click a link to verify their account due to suspicious activity

Answer:

Identify it as smishing (SMS phishing). Do not click the link. Contact the bank directly using the number on the back of your card. Report the message to IT.

Distractor to avoid:

Clicking the link 'just to check' is wrong — even visiting a phishing site can trigger drive-by downloads. Calling the number provided IN the text is wrong — that number may connect to the attacker.

If the question asks about:

Question asks you to identify which behavior is an insider threat indicator among a list of employee actions

Answer:

The indicator is the one showing abnormal access patterns: accessing data outside normal job scope, bulk downloading, copying to personal storage, or working unusual hours with sensitive data access.

Distractor to avoid:

Normal positive behaviors (completing training, reporting phishing, using MFA) will appear as wrong answer options. The presence of security awareness behavior is not a threat indicator.

If the question asks about:

Colleague receives a QR code in a flyer left on their desk that claims to give them a prize if they scan it

Answer:

This is quishing (QR code phishing) combined with baiting. Do not scan the code. Report the flyer to the security team. Inform other colleagues not to scan it.

Distractor to avoid:

Scanning 'just to see where it goes' is wrong — the destination URL may be malicious. Googling the prize to verify legitimacy is not the recommended first step.

Last-Minute Facts

1Four phishing variants: email phishing, smishing (SMS), vishing (voice), quishing (QR code).
2Four social engineering techniques: phishing, pretexting, baiting, tailgating.
3Cybersecurity Risks and Threats is the heaviest domain at 30–35% of the exam — this is where you earn or lose the most points.
4Insider threat indicators: unusual access hours, bulk downloads, data hoarding, accessing out-of-scope systems.
5Malware indicators: disabled antivirus, slow system, unfamiliar programs, unexplained file changes.
Domain 228% of exam

Apply Basic Security Practices to Protect the Organization

Must-Know Facts

  • MFA factor types: something you KNOW (password, PIN), something you HAVE (phone, hardware token, authenticator app), something you ARE (fingerprint, face recognition). MFA requires at least two different factor types.
  • Password best practices: use a unique password for every account, use a password manager to generate and store complex passwords, never write passwords on paper or share them, never reuse passwords across accounts.
  • Sensitivity label tiers and handling: Public = safe for external sharing. Internal = employees only, not for external parties. Confidential = restricted to specific teams with need-to-know. Highly Confidential = strictest access controls, regulated data or executive-level information.
  • Rights management restricts what actions can be performed with protected documents: prevents copying content, printing, forwarding emails, or editing. Applied in addition to sensitivity labels.
  • Securing a remote workspace: use a VPN on public or home networks, lock the screen when stepping away even briefly, position the screen to prevent shoulder surfing, use organization-approved devices, never let family members use work devices.
  • Clean desk policy: secure physical documents when not in use, shred documents with sensitive information rather than throwing them in the trash, do not leave credentials or sensitive papers visible on your desk.
  • Data lifecycle: Collect (only what you need) → Use (per policy) → Transfer (secure methods only) → Store (approved locations) → Retain (per schedule) → Destroy (per approved procedures, not just deletion).
  • Why backups must be stored separately: backups stored on the same device or network drive are destroyed or encrypted by ransomware along with the primary data. Off-site or cloud-based backups on a separate system survive the attack.
  • Data types that must never be shared with public AI tools: personally identifiable information (PII), customer financial records, proprietary business strategies, health data, trade secrets, employee personnel information, any data classified Confidential or above.

Common Traps

TrapA strong password alone is sufficient security
RealityThe SC-730 consistently frames MFA as essential even when strong passwords are in place. Passwords can be phished, leaked in breaches, or guessed. MFA ensures a stolen password alone cannot compromise an account. The exam answer that includes MFA will beat the answer that only mentions strong passwords.
TrapSensitivity labels are automatically applied by the system
RealityUsers have responsibility for labeling their own documents correctly. The exam tests YOUR knowledge of when and how to apply each label. 'The system will handle it' is not a valid answer. Know that customer financial records = Confidential, general internal memos = Internal, shareable press releases = Public.
TrapDeleting a file properly destroys the data
RealityStandard file deletion does not securely destroy data — it can be recovered with tools. Proper data destruction follows organizational procedures, which may include secure overwriting, physical destruction of storage media, or certified deletion services. This especially matters for data that has exceeded its retention period.
TrapA backup on the same hard drive or same network location is sufficient
RealityBackups must be stored in a physically or logically separate location from the primary data. Ransomware that encrypts your local drive will also encrypt a backup stored on the same drive or a mapped network share. The exam answer for backup best practice always involves a separate location.
TrapRemoving a company name from confidential data before pasting into an AI tool makes it safe
RealityRemoving identifying details does not adequately protect confidential content. The business strategy, financial projections, or customer data patterns themselves are sensitive regardless of labels. Organizational policy on approved AI tools must be followed — check policy first, then use only approved tools.

Confusing Pairs

Sensitivity LabelsRights Management

Sensitivity labels CLASSIFY documents and tell users how to handle them (Public, Internal, Confidential, Highly Confidential). Rights management ENFORCES technical restrictions on what users can DO with the document (no printing, no forwarding, no copying). Labels communicate the handling requirement; rights management enforces it automatically. They work together but serve different functions.

Data BackupData Recovery

Backup = PROACTIVE action you take before an incident — regularly copying data to a separate location. Recovery = REACTIVE process you follow after a loss event — restoring data from those backups. Without backups, recovery is impossible. On the exam, questions about what an employee should do BEFORE a problem point to backup. Questions about what to do AFTER a loss point to recovery procedures.

Multifactor AuthenticationTwo-Factor Authentication

Two-Factor Authentication (2FA) is a subset of MFA requiring exactly two factors. MFA requires two OR MORE factors. On this exam, use MFA as the generic term — it encompasses 2FA and is the recommended standard. An authenticator app push + password = MFA. A password + SMS code = MFA. Password alone = not MFA regardless of how complex the password is.

Scenario Tips

If the question asks about:

Employee working from a coffee shop needs to access work documents — question asks what they should do to work securely

Answer:

Connect using a VPN, position the screen away from others, lock the device when stepping away, and only use organization-approved tools. The combination of all three protections is the correct answer.

Distractor to avoid:

Using the coffee shop's password-protected Wi-Fi is not secure enough by itself. Only checking email (not opening confidential files) does not eliminate the VPN and shoulder-surfing risks. Asking staff for the Wi-Fi password does not make a public network secure.

If the question asks about:

Question presents four sensitivity labels and asks which to apply to a document containing customer health records

Answer:

Highly Confidential — health records are regulated data subject to the strictest controls. When in doubt between Confidential and Highly Confidential, regulated personal health or financial data pushes you to Highly Confidential.

Distractor to avoid:

Confidential is plausible but insufficient for regulated health data. Internal is wrong because it implies unrestricted access by all employees. Public is never correct for personal records.

If the question asks about:

Employee finds 5-year-old customer records on a shared drive that should have been deleted per the 3-year retention policy — what should they do?

Answer:

Follow organizational data destruction procedures or report the finding to the appropriate team. Do not simply delete the files yourself — proper destruction requires organizational approval and may require more than a standard delete.

Distractor to avoid:

Moving files to a personal drive for safekeeping violates both the retention policy and creates a new security risk. Simply pressing Delete does not constitute proper data destruction.

Last-Minute Facts

1Three MFA factor types: something you know, something you have, something you are.
2Four sensitivity label levels: Public < Internal < Confidential < Highly Confidential.
3Backups must be stored in a SEPARATE location from primary data — same-device backups offer no ransomware protection.
4Data destruction for expired records requires organizational procedure, not just file deletion.
5Rights management = technical enforcement of document restrictions (no print, no copy, no forward).
6VPN + screen positioning + screen lock = the complete remote work security answer the exam expects.
Domain 327% of exam

Understand Cybersecurity Concepts

Must-Know Facts

  • Shared responsibility model on this exam: NOT just about cloud computing — it means EVERY EMPLOYEE shares cybersecurity responsibility with the IT security team, regardless of their role or technical skill level.
  • Key definitions to distinguish: vulnerability = a weakness in a system; threat = potential danger that could exploit a vulnerability; risk = the likelihood and impact of a threat exploiting a vulnerability; exploit = the specific method used to take advantage of a vulnerability.
  • Encryption: converts readable data (plaintext) to an unreadable format (ciphertext) that requires a key to decode. Protects data at rest, in transit, and in use. EXAM TRAP: encrypted data can still be STOLEN — encryption only prevents the attacker from reading it, not from exfiltrating it. A breach can still occur and may still require regulatory notification even if the data was encrypted.
  • Deepfake definition: AI-generated synthetic media (audio, video, images) that realistically impersonate real people or fabricate events. Used for fraud, social engineering, and disinformation. EXAM TRAP: the SC-730 does NOT test how deepfakes are made — only what they are, what they are used for, and why they are dangerous. If a question describes an audio clip impersonating an executive to authorize a wire transfer, that is a deepfake-based social engineering attack.
  • AI tool data risk: public AI chatbots and writing assistants may store, process, or train on submitted data. Confidential business information, customer PII, financial records, and trade secrets must never be entered into unapproved AI tools.
  • Software patch urgency: patches fix KNOWN vulnerabilities that attackers are actively scanning for and exploiting. Delaying patches is not a safe 'wait and see' approach — it leaves a known door open.
  • Business processes targeted by threat actors: wire transfer requests, vendor payment changes, executive impersonation for urgent approvals, HR data requests, and access credential requests.
  • Ransomware business impact: operational disruption, inability to access critical files, financial extortion costs, potential data breach notification requirements, reputational damage, and regulatory penalties.

Common Traps

TrapThe shared responsibility model only applies to cloud security
RealityOn the SC-730, shared responsibility describes the relationship between every employee and the IT security team — not just cloud infrastructure. Every person who uses a work system is responsible for their part: following policies, reporting threats, practicing good hygiene. IT cannot do it all alone.
TrapEncryption makes data theft impossible
RealityEncrypted data can still be stolen and exfiltrated. The encryption only prevents the attacker from READING the data without the key. A data breach can still occur and may still require regulatory notification even if the exfiltrated data was encrypted.
TrapDeepfake questions require technical knowledge of how they are created
RealityThe SC-730 tests deepfakes purely as a definition and awareness topic. You need to know: what they are (AI-generated synthetic media), what they are used for (fraud, social engineering, disinformation), and why they are dangerous (they can impersonate executives, create fake evidence, and erode trust in digital communications).
TrapUsing a 'very strong' password eliminates the need for MFA
RealityThis exam does not accept strong passwords as a substitute for MFA. Passwords can be phished, leaked, or guessed regardless of complexity. MFA is presented as a mandatory additional layer — the exam answer will always prefer the option that includes MFA over the one that only mentions a strong password.

Confusing Pairs

SC-730SC-900

SC-730 = vendor-agnostic cybersecurity awareness cert for business users (non-IT roles). Tests: threat recognition, incident reporting, data handling, MFA, phishing, from a BUSINESS PERSPECTIVE. SC-900 = Microsoft-specific security fundamentals for IT professionals. Tests: Microsoft Defender, Entra ID, Purview, Sentinel — products and configurations. If a question answer involves a Microsoft product name, that is an SC-900 answer, not SC-730.

MalwareRansomware

Malware = broad category of all malicious software: viruses, worms, trojans, spyware, adware, ransomware. Ransomware = specific type of malware that encrypts files and demands payment for the decryption key. All ransomware is malware, but not all malware is ransomware. Exam tell: if the scenario mentions encrypted files + a payment demand, the answer is ransomware specifically, not just 'malware.'

Security AwarenessSecurity Accountability

Security Awareness = knowing what threats exist and understanding policies — a passive knowledge state. Security Accountability = actively taking ownership of your specific security responsibilities: completing training on time, following data-handling procedures, reporting incidents promptly, using MFA, locking your device. Exam trap: a question asking about 'accountability' is NOT asking what you know — it is asking what you DO. Passive knowledge or 'assuming IT will handle it' is awareness at best, not accountability.

Scenario Tips

If the question asks about:

Question asks which employee action represents a security accountability practice

Answer:

Accountability means taking ownership of your security responsibilities: completing security training on time, reporting suspicious activity, following data handling policies, using MFA on all accounts, and locking your device when stepping away.

Distractor to avoid:

Passive actions like 'waiting for IT to handle it' or 'assuming the system will protect you automatically' are not accountability behaviors on this exam.

If the question asks about:

Employee wants to use a free AI assistant to draft a proposal that includes proprietary pricing strategy and customer names

Answer:

Do not share the content with the unapproved AI tool. Check organizational policy on approved AI tools. Use only tools approved by the organization for handling sensitive data.

Distractor to avoid:

Removing the customer names before pasting is insufficient — the pricing strategy and business context remain sensitive. Asking a colleague if they use the tool does not establish policy compliance.

If the question asks about:

A question describes an unpatched operating system vulnerability and asks about the risk level

Answer:

The unpatched software creates a VULNERABILITY. If attackers know about it (as they do for publicly disclosed CVEs), that is a THREAT. The risk is elevated because the probability of exploitation is high for known, unpatched vulnerabilities with public exploit code available.

Distractor to avoid:

Confusing vulnerability with risk is the trap here. The unpatched OS is not itself a risk — it is the weakness. Risk requires both the weakness AND the likelihood of exploitation.

Last-Minute Facts

1Vulnerability = weakness; Threat = danger; Risk = likelihood × impact; Exploit = the attack method.
2Encryption protects data but does not prevent it from being stolen — it prevents it from being READ.
3Deepfakes = AI-generated synthetic media used for fraud and disinformation. No technical depth required.
4Shared responsibility model: ALL employees share security responsibility with IT, not just executives.
5Ransomware business impact includes: downtime, financial loss, regulatory exposure, reputational damage.
Domain 412% of exam

Report and Respond to Security Incidents

Must-Know Facts

  • What always requires reporting: phishing attempts (even if not clicked), lost or stolen devices (even if encrypted), unauthorized access to systems or data, suspected malware infections, observed policy violations by others.
  • Information to include in an incident report: date and time of the incident, type of incident (phishing, data loss, unauthorized access), what data or systems may be affected, actions already taken, any evidence preserved (screenshots, email headers).
  • Correct reporting channels: IT help desk, dedicated incident reporting form or portal, security team email. Never use personal email, social media, or unverified phone numbers for reporting. Use the channel your organization designates.
  • Correct response sequence for ransomware: (1) disconnect the device from the network immediately, (2) do NOT turn off the computer, (3) notify IT security immediately, (4) do not pay the ransom without authorization, (5) do not attempt to remove the malware yourself.
  • Correct response for a phishing email: do not click links or open attachments, do not reply to the sender, report through the official phishing reporting mechanism (forward to security team or use the 'Report phishing' button), do not forward to colleagues.
  • When to escalate beyond your manager: any incident involving PII, financial data, or health records; ransomware; suspected compromise of executive accounts; any incident that could trigger regulatory reporting obligations.
  • Preserving evidence means: keeping the suspicious email in your inbox rather than deleting it, not closing unexpected pop-ups that might contain attacker-controlled messages, documenting what you saw before notifying IT.

Common Traps

TrapIf you didn't click the phishing link, there's no need to report it
RealityYou must report phishing attempts even if you did not interact with the message. The security team needs to know the threat reached your inbox, who else may have received it, and whether to block the sender or domain across the organization.
TrapA lost device with full disk encryption and a strong password does not need to be reported
RealityALL lost or stolen devices must be reported immediately, regardless of encryption or password strength. IT needs to remotely wipe the device, revoke credentials that were cached on it, and assess whether any data was exposed. Encryption reduces risk but does not eliminate the obligation to report.
TrapThe first step in a ransomware attack is to turn off the computer
RealityDisconnect from the NETWORK (unplug ethernet, disable Wi-Fi) — do not power off. Turning off the computer may destroy forensic evidence and does not stop ransomware from spreading via network shares before shutdown. Network disconnection stops lateral spread while preserving the state for incident response.
TrapIf there's no formal incident ticket system, report the problem directly to your manager
RealityReporting to your manager is appropriate in some contexts but is never the primary incident reporting path on this exam. The security or IT team is always the correct first notification target. Managers may need to be informed, but they are not the incident response channel.
TrapForwarding a phishing email to colleagues warns them and is therefore correct
RealityForwarding a phishing email to colleagues can spread the malicious link to additional inboxes and increases the attack surface. The correct action is to report it to IT, who will issue an organization-wide alert through safe channels.

Confusing Pairs

Disconnecting from NetworkTurning Off the Computer

Disconnect from NETWORK = correct first technical action during ransomware. Stops lateral spread across the organization. Preserves forensic evidence on the device. Turning off the computer = WRONG first action. Destroys volatile memory (RAM) which may contain decryption keys or attacker footprints. May interrupt incident response tools. The distinction matters: unplug the cable or disable Wi-Fi, but leave the machine running until IT instructs otherwise.

ReportingEscalating

Reporting = documenting and communicating an incident to IT/security through the designated channel. This is the FIRST action. Escalating = elevating the incident to a higher level of authority (from help desk to security team, or security team to management) when the incident scope is large enough. All incidents are reported; only high-severity incidents require additional escalation. The exam answer for 'what to do first' is always report, not escalate.

Scenario Tips

If the question asks about:

Employee receives a phishing email, does not click anything, then sees colleagues asking about the same suspicious email. What should the employee do?

Answer:

Report the phishing email to IT or the security team using the designated reporting channel. Do not forward the original email to colleagues — forward a TEXT WARNING through internal chat or let IT send the organization-wide alert.

Distractor to avoid:

Forwarding the original phishing email to warn people is wrong — this spreads the malicious content. Deleting it and assuming IT will catch it is wrong. Replying to the sender to tell them you know it is phishing confirms your email is active and responsive.

If the question asks about:

Ransomware message appears on screen demanding Bitcoin payment. What are the FIRST two actions?

Answer:

First: disconnect the device from the network (unplug Ethernet or disable Wi-Fi). Second: notify IT immediately. Do not pay, do not turn off the device, do not try to remove the malware yourself.

Distractor to avoid:

Paying the ransom is wrong — it funds criminals and does not guarantee recovery. Turning off the computer first is wrong — disconnect from network first to stop lateral spread while preserving forensic state.

If the question asks about:

Employee's work phone is left on public transit and never recovered. The phone had a 6-digit PIN and all data was encrypted. What should the employee do?

Answer:

Report the loss to IT immediately. IT needs to remotely wipe the device, revoke access tokens and cached credentials, assess potential data exposure, and update access logs. Encryption reduces risk but does not eliminate the reporting obligation.

Distractor to avoid:

Doing nothing because the device is encrypted is wrong — cached credentials on the device may still allow access even with encryption. Waiting a few days to see if it turns up wastes the window for remote wiping.

Last-Minute Facts

1Always report phishing even if you did NOT click the link.
2Always report lost/stolen devices even if they ARE encrypted.
3Ransomware response order: disconnect from network FIRST, then notify IT — do NOT power off.
4Never forward phishing emails to colleagues — report to IT instead.
5Incident report must include: date/time, incident type, affected data, actions taken, evidence preserved.
6Do not pay ransomware without organizational authorization — it funds criminals and does not guarantee recovery.

Feeling confident?

Put your knowledge to the test with a timed SC-730 mock exam.