Microsoft Certification • Cybersecurity Business Professional

SC-730 Complete Study Guide

This guide explains the exam content in simple words. It is designed for business professionals who use digital tools, cloud apps, collaboration platforms, and sensitive data but are not security specialists. Reference: Microsoft SC-730 official study guide.

Start Studying Sample Questions
700Passing score
4Main skill areas
30-35%Largest exam area
20Sample questions

00. Exam Map

Use this map to understand where your study time should go.

Skill area Weight What it means Study priority
Understand cybersecurity risks and threats 30 to 35% Recognize phishing, malware, insider risks, public Wi-Fi risks, and suspicious communications. Highest
Understand cybersecurity concepts 25 to 30% Know shared responsibility, security awareness, MFA, password managers, AI data safety, and key security terms. High
Apply basic security practices 25 to 30% Protect accounts, devices, workspaces, sensitive data, backups, and data handling processes. High
Report and respond to incidents 10 to 15% Know when to report, what information to include, and how to respond during breaches. Medium
Best exam strategy: For scenario questions, usually choose the answer that verifies the request, protects data, follows policy, and reports the issue through the approved channel.

01. Understand Cybersecurity Concepts

Weight: 25 to 30%. This section checks whether you understand basic workplace security ideas and the employee role in reducing cyber risk.

Shared Responsibility Model

Security is not only the job of IT or the cloud provider.

Core idea
Key idea

In a modern organization, security is shared between the cloud provider, the organization, IT/security teams, managers, and employees. A provider may secure the cloud infrastructure, but the organization must configure access properly, and employees must use accounts and data safely.

Exam focus
  • Employees must protect passwords, devices, and sensitive files.
  • IT/security teams define policies, monitoring, response, and controls.
  • Managers help make sure teams follow policy and complete training.
  • Cloud providers protect the platform, but they do not stop every unsafe user action.
Example: If an employee shares a confidential file using a personal email account, that is not the cloud provider’s mistake. It is a user and policy problem.

Security Awareness and Accountability

Security awareness means knowing common risks and acting safely.

Core idea
Reader-friendly explanation

Security awareness is the habit of noticing suspicious activity, understanding company rules, and avoiding risky behavior. Accountability means each employee is responsible for how they use company systems and data.

Examples of good behavior
  • Complete required security training.
  • Report suspicious emails instead of ignoring them.
  • Use company-approved storage instead of personal drives.
  • Ask before sharing sensitive data with a new tool or vendor.
  • Follow clean desk, screen lock, and remote work rules.
Exam clue: If a question asks what an employee should do, the best answer is usually policy-based, cautious, and report-focused.

Passwords, Password Managers, and MFA

Accounts are one of the easiest ways attackers enter a business.

High value
Key idea

A strong password is long, unique, and hard to guess. A password manager helps users create and store unique passwords, so they do not reuse the same password across many services. Multifactor authentication, or MFA, adds another check beyond the password.

Exam focus
  • Password reuse is risky because one breach can expose many accounts.
  • MFA reduces risk when a password is stolen.
  • Password managers reduce weak password habits.
  • Users should never share passwords or MFA codes.
Example: If an attacker gets a password from a fake login page, MFA can still stop the login because the attacker does not have the second factor.

AI Tool Safety

AI tools can create privacy and data leakage risks.

High value
Reader-friendly explanation

Employees should not paste sensitive data into unapproved AI tools. AI tools may store, process, or expose information depending on the service and company settings. The safe action is to use only approved AI tools and follow the organization’s data policy.

Data you should not share with unapproved AI tools
  • Customer records and support conversations.
  • Personal data, such as names, addresses, IDs, or contact details.
  • Financial data, invoices, payroll, and bank information.
  • Source code, API keys, passwords, tokens, and recovery codes.
  • Legal documents, contracts, unreleased strategy, and internal reports.
Memory rule: If the information would be unsafe in a public email, do not place it in an unapproved AI tool.

Security Benefits and Risk Awareness

Business processes are common attack targets because they involve money, data, and access.

Exam scenarios
Business processes attackers may target
  • Invoice approval and payment changes.
  • Password reset and account recovery.
  • Vendor onboarding and contract approval.
  • Customer data export or file sharing.
  • HR payroll updates and employee records.
  • Executive approvals through email or chat.
Why updates and patches matter

Software updates often fix security weaknesses. Ignoring updates can leave devices open to known attacks. For exam questions, required security updates should be installed through the approved company process.

Example: A laptop with old browser software may be more vulnerable to malicious websites or fake downloads.

Cybersecurity Terms and Emerging Threats

Learn these words because they often appear inside scenario questions.

Must know
TermSimple meaningExample
ThreatSomething that can cause harm.A phishing attacker, malware, malicious insider, or fake website.
VulnerabilityA weakness that could be attacked.An old app without security patches or a weak password.
RiskThe chance and impact of harm happening.Using public Wi-Fi for sensitive work increases the risk of data exposure.
ExploitA method used to attack a weakness.Attack code that abuses an unpatched software bug.
EncryptionMaking data unreadable without the correct key.Protecting files, messages, or stored data from unauthorized reading.
DeepfakeAI-generated fake audio, image, or video that appears real.A fake voice message pretending to be a manager approving payment.

02. Understand Cybersecurity Risks and Threats

Weight: 30 to 35%. This is the largest exam area. Spend the most time here.

Phishing

Fake messages designed to steal information, money, or access.

Very high
How it works

Phishing can come through email, SMS, chat, social media, or fake login pages. The message usually tries to make the user click a link, open an attachment, approve a login, send money, or share sensitive information.

Common warning signs
  • Urgent, threatening, or emotional language.
  • Unexpected invoice, file, password reset, or delivery notice.
  • Sender address or domain looks slightly wrong.
  • Link text looks normal, but the destination is suspicious.
  • Attachment type is unexpected or unusual.
  • Request for password, MFA code, payment, or confidential file.
Best response: Do not click. Do not download. Verify using a trusted channel. Report it.

Social Engineering

Attackers manipulate people by using trust, fear, urgency, or curiosity.

High
Types to know
  • Pretexting: attacker creates a fake story, such as pretending to be IT support.
  • Baiting: attacker offers something tempting, such as a free download, prize, or file.
  • Impersonation: attacker pretends to be a manager, vendor, customer, or coworker.
  • Business email compromise: attacker uses or imitates a business email account to request payments or data.
Exam clue: Requests involving money, access, secrecy, or urgency should be verified before action.

Malware and Ransomware

Malicious software can steal, damage, spy on, or lock data.

High
How infection can happen

Malware may enter through infected attachments, fake updates, unsafe downloads, compromised websites, removable devices, or stolen credentials.

Indicators of infection
  • Device becomes slow or unstable.
  • Unknown apps, pop-ups, or browser redirects appear.
  • Files are missing, renamed, encrypted, or locked.
  • Security tools are disabled unexpectedly.
  • System settings change without user action.
Best response: Stop using the device for work, keep evidence, disconnect if required by policy, and notify IT/security.

Public Wi-Fi and Remote Work Risks

Remote work increases risk when networks, devices, and workspaces are not protected.

Medium
Risks to understand
  • Fake Wi-Fi hotspots can trick users into connecting.
  • Attackers may try to intercept data on unsafe networks.
  • Shared devices can expose company files.
  • Shoulder surfing can expose screens in public places.
  • Personal cloud storage can leak company data.
Safer behavior
  • Use approved secure access methods.
  • Avoid sensitive work on unknown networks.
  • Lock the device when away.
  • Keep devices updated and encrypted if required.

Insider Threats

Insider threats come from people who already have access.

Medium
Reader-friendly explanation

An insider threat may be intentional or accidental. It can involve employees, contractors, vendors, or partners. Not every insider threat is malicious. A careless employee can also create risk by sending data to the wrong place.

Possible indicators
  • Accessing unusual files or systems without business need.
  • Copying large amounts of data unexpectedly.
  • Trying to bypass approval or security controls.
  • Using personal accounts to move company files.
  • Repeated policy violations.

Verify Digital Communications

Many attacks look like normal business messages.

Very high
Verification checklist
  1. Pause before acting on urgent requests.
  2. Check sender address, domain, links, and attachment type.
  3. Do not use phone numbers or links inside the suspicious message.
  4. Contact the person through a known trusted channel.
  5. Report suspicious requests for payments, access, or sensitive data.
Exam answer pattern: Verify first, then act. Do not approve, pay, click, download, or share before verification.

Access Controls

Access controls limit who can see, change, or share systems and data.

Important
Controls to know
  • Least privilege: give only the access needed for the job.
  • Role-based access: access is based on job role.
  • MFA: requires extra verification before account access.
  • Approval process: sensitive access requires manager or owner approval.
  • Access review: regularly check whether access is still needed.
Exam example

If a marketing employee only needs read access to a report, giving admin access is too risky. The safer answer is to grant the minimum required access and review it later.

03. Apply Basic Security Practices

Weight: 25 to 30%. This section tests practical, everyday behavior that protects accounts, devices, files, and workspaces.

Secure Devices and Workspaces

Physical and digital device safety both matter.

High
Safe practices
  • Use screen lock, passcode, or biometric sign-in.
  • Keep devices updated with required security patches.
  • Use approved apps, browsers, storage, and collaboration tools.
  • Do not leave work devices unattended in public places.
  • Do not let others use your work account or work device.
  • Keep printed sensitive documents away from public view.
  • Report lost or stolen devices immediately.

Recognize and Classify Sensitive Data

Different data types need different levels of protection.

High
Common sensitive data
  • Personal data: names, addresses, IDs, phone numbers, email addresses.
  • Financial data: bank details, card data, invoices, payroll, tax records.
  • Business confidential data: contracts, strategy, pricing, product plans, internal reports.
  • Credentials: passwords, MFA codes, API keys, tokens, recovery codes.
  • Customer data: customer records, support details, files, and private communication.
Exam clue: If a file contains personal, financial, customer, legal, credential, or business-confidential data, treat it as sensitive.

Sensitivity Labels and Rights Management

Labels and permissions help stop accidental sharing.

Medium
Label examples
  • Public: safe to share openly.
  • Internal: for employees only.
  • Confidential: limited to specific teams or people.
  • Highly Confidential: very restricted, often for legal, executive, financial, or sensitive customer data.
Rights management controls

Rights management can restrict who can open, edit, copy, print, download, forward, or share a file. It is useful when sensitive files need strong protection even after they are sent.

Safe Internet and Data Handling

Data should be protected during collection, use, transfer, storage, retention, and destruction.

High
Data lifecycle
  • Collect: collect only what is needed for a valid business reason.
  • Use: use data only for the approved purpose.
  • Transfer: send data only through approved secure methods.
  • Store: keep data in approved protected locations.
  • Retain: keep data only as long as policy requires.
  • Destroy: delete or dispose of data safely when it is no longer needed.

Backup and Recovery

Backups help the organization recover from mistakes, system issues, malware, or ransomware.

Medium
Key idea

A backup is a protected copy of data. Recovery means restoring data or systems after loss or damage. Employees help recovery by saving work in approved locations where backup policies apply.

Safe employee behavior
  • Store work files in approved cloud or company storage.
  • Do not keep the only copy on a personal device.
  • Report missing or corrupted files quickly.
  • Follow recovery instructions instead of trying random fixes.
Example: A file saved only on a personal laptop may not be recoverable after device loss. A file saved in approved company storage is more likely to be backed up.

04. Report and Respond to Security Incidents

Weight: 10 to 15%. This section is smaller, but very practical. Learn the correct response flow.

When to Report

Report early. Do not wait until damage is confirmed.

Easy marks
Situations that require reporting
  • Phishing attempt or suspicious message.
  • Lost or stolen work phone, laptop, badge, or storage device.
  • Unauthorized access to an account, file, or system.
  • Accidental sharing of sensitive information.
  • Malware signs or ransomware warning.
  • Policy violation involving customer or company data.
  • Suspicious payment or access request.

What to Include in a Report

A good report helps security teams act quickly.

Easy marks
Incident report details
  • Date and time of the incident.
  • Type of incident, such as phishing, lost device, malware, or data exposure.
  • Affected data, account, device, system, or person.
  • Evidence, such as screenshots, sender address, file name, or link.
  • What action was already taken.
  • How urgent or sensitive the situation is.

Basic Breach Response Flow

The safest answer usually limits damage, preserves evidence, and notifies the correct team.

Must know
Correct response steps
  1. Stop the risky action immediately.
  2. Do not delete messages, files, logs, or evidence.
  3. Disconnect the affected device if required by policy or if malware/ransomware is suspected.
  4. Do not forward suspicious files or links to others.
  5. Report through the approved channel, such as help desk, incident form, or security email.
  6. Escalate when sensitive data, ransomware, unauthorized access, or major business impact is involved.
Wrong responses
  • Ignoring the issue.
  • Deleting evidence before reporting.
  • Trying to investigate a serious breach alone.
  • Paying an attacker.
  • Forwarding suspicious attachments to coworkers.
  • Sharing breach details in public channels.
Memory rule: Stop, preserve, report, escalate.

05. Memory Rules

Use these simple rules to answer scenario questions faster.

Verify before trust

For money, access, files, or sensitive data, verify through a known trusted channel.

Report early

Suspicious activity should be reported quickly, even if you are not fully sure.

Use approved tools

Company data belongs in company-approved apps, storage, and communication channels.

Least privilege

Give the minimum access needed for the job, not extra access for convenience.

MFA beats password-only

MFA helps protect accounts even if the password is stolen.

Do not delete evidence

Keep suspicious emails, screenshots, links, and file details for investigation.

06. Quick Glossary

Use this section for fast revision before the exam.

ConceptSimple meaningExam clue
MFAExtra verification besides password.Best answer when account protection is needed.
Password managerTool that stores unique strong passwords.Helps stop password reuse.
PhishingFake message to steal info, money, or access.Urgent email, fake link, unexpected attachment.
PretextingFake story to gain trust.Someone pretends to be IT, vendor, bank, or manager.
BaitingTempting offer used to trick users.Free download, prize, USB, or fake file.
Insider threatRisk from someone inside or connected to the organization.Unusual access, copying files, bypassing policy.
RansomwareMalware that locks data and demands payment.Disconnect/report/escalate. Do not handle alone.
Sensitivity labelLabel that classifies and protects a document.Public, Internal, Confidential, Highly Confidential.
Rights managementControls what users can do with a file.Restrict open, edit, print, copy, forward, or download.
Data retentionHow long data should be kept.Keep data only as long as policy requires.
Data destructionSafe removal of data when no longer needed.Use approved deletion or disposal process.
DeepfakeAI-generated fake media that looks or sounds real.Verify unusual voice or video requests before acting.

07. Sample Questions

Click each question to reveal the answer. These are practice-style questions for revision, not official Microsoft questions.

1. An employee receives an urgent email asking to change vendor bank details. What should they do first?

Verify the request through an approved trusted channel before changing payment details.

2. Why is MFA better than password-only login?

MFA adds a second proof of identity, so a stolen password alone is not enough.

3. What data should not be shared with unapproved AI tools?

Customer data, personal data, confidential business data, passwords, API keys, source code, legal data, and financial data.

4. A work laptop is lost. What is the best first action?

Report it immediately through the company-approved reporting channel.

5. What are common signs of malware?

Slow device, unknown apps, pop-ups, browser redirects, missing files, locked files, or disabled security tools.

6. What should be included in an incident report?

Date, time, incident type, affected data or system, evidence, people involved, and actions already taken.

7. A message contains a suspicious link. What is the safest action?

Do not click it. Verify the sender using a trusted method and report the message.

8. What does rights management help control?

It controls who can open, edit, copy, print, download, forward, or share protected files.

9. What is the difference between a threat and a vulnerability?

A threat can cause harm. A vulnerability is a weakness that the threat can attack.

10. Why is password reuse risky?

If one reused password is stolen, attackers may use it to access other accounts.

11. What is pretexting?

Pretexting is when an attacker creates a fake story to gain trust, such as pretending to be IT support.

12. What is baiting?

Baiting uses something tempting, such as a free download or fake prize, to trick the user into unsafe action.

13. What should an employee do before approving a request for sensitive data?

Verify the request, confirm business need, use approved channels, and follow company policy.

14. Why are software updates important?

Updates often fix known security weaknesses and reduce the risk of attack.

15. What does least privilege mean?

Users should receive only the minimum access needed to perform their job.

16. A file contains customer records and financial data. Which label is most likely appropriate?

A confidential or highly confidential label, depending on company policy and sensitivity.

17. What is the risk of public Wi-Fi?

Attackers may create fake hotspots, intercept traffic, or trick users into fake login pages.

18. What should you do if you accidentally share sensitive data with the wrong person?

Stop further sharing, preserve details, and report it through the correct channel immediately.

19. Why should work files be stored in approved company storage?

Approved storage is more likely to have access controls, backup, recovery, monitoring, and compliance protections.

20. When is escalation required during an incident?

Escalate when sensitive data is exposed, ransomware is suspected, unauthorized access occurs, or there is major business impact.

08. 7-Day Study Plan

Use this for fast preparation. Spend more time on threats, phishing, verification, and safe data handling.

Day 1

Cybersecurity basics

Study threat, vulnerability, risk, exploit, encryption, deepfakes, shared responsibility, and accountability.

Day 2

Accounts and access

Study strong passwords, password managers, MFA, access controls, least privilege, and approved tools.

Day 3

Phishing and social engineering

Study suspicious emails, links, attachments, pretexting, baiting, impersonation, payment requests, and verification steps.

Day 4

Malware and insider threats

Study ransomware, malware signs, abnormal system behavior, insider threat indicators, and public Wi-Fi risks.

Day 5

Data protection

Study sensitive data types, sensitivity labels, rights management, AI tool risks, and the data lifecycle.

Day 6

Incident reporting

Study reporting channels, report details, lost device response, breach response, evidence preservation, and escalation rules.

Day 7

Mock review

Review the glossary and answer all sample questions. For scenarios, choose answers that verify, protect, report, and follow policy.

09. Official Reference

This study guide is based on the official Microsoft SC-730 study guide.