In This Article
Microsoft Secure Score tells you 62%. What Microsoft actually does with that number is compare you to tenants similar to yours in size and industry and tell you that 62% is roughly what your peers score too. That is grading on a curve. It can reassure a board. It does nothing for an auditor, who hears the same number and calls 38% of recommended security controls unimplemented. And in traditional grading, where 60-69% is a D, 62% isn't passing anything. Same number, three different conclusions, and this is exactly the disconnect that gets financial institutions into trouble.
"Secure Score grades on a curve. If your peers are also failing to finish MFA rollout, you still get credit for being mediocre. Your bank examiner grades on the regulation, not on the curve."
ABT security program framing for regulated financial institutions
Secure Score is a useful starting point. It is not a security strategy. It rewards easy wins over hard controls. It does not map to the regulatory frameworks that govern banks, credit unions, and mortgage companies. And it does not tell you whether your institution is actually protected against the threats that matter.
Guardian Security Insights starts where Secure Score stops. It uses the score as one input among many, sets a 90%+ target across all four categories, and wraps the number in operational context that turns a metric into a security program.
The Problem with Grading on a Curve
Microsoft Secure Score calculates a percentage based on how many recommended actions your tenant has implemented across four categories: Identity, Data, Devices, and Apps. It sounds straightforward. The problems are in the details.
The Score Rewards Low-Hanging Fruit
Some Secure Score actions are worth more points than others. But the weighting does not always reflect actual risk. An institution can reach 65% by implementing a dozen easy changes while leaving the hard ones (device compliance, DLP enforcement, Conditional Access for all users) untouched. The score goes up. The actual risk stays the same.
The Comparison Is Misleading
Microsoft shows how your score compares to "similar organizations." But "similar" is based on tenant size and industry, not regulatory profile. A community bank holding member Social Security numbers and loan data has a different threat model than a marketing agency with the same number of users. The comparison creates false comfort.
The Score Does Not Map to Compliance
No regulator accepts Secure Score as compliance evidence. The FFIEC examination handbook, GLBA Safeguards Rule, NCUA ACET, and state regulators all require specific controls documented with specific evidence. Secure Score measures Microsoft's recommended actions, not your regulator's required controls. The overlap is significant but not complete.
The Score Is a Snapshot, Not a Trend
Secure Score shows today's number. It does not show last Tuesday's number, or the fact that someone created a Conditional Access exclusion on Wednesday that dropped your Identity score by 8 points. Without trend data and change tracking, a good score today can mask a deteriorating trajectory.
The IBM X-Force Threat Intelligence Index 2026 found valid account credentials accounted for 32% of all initial access vectors in 2025. Exploitation of public-facing applications surged 44% to become the single largest entry point. Globally, organizations faced 1,968 cyberattacks per week on average in 2025, a 70% increase since 2023. Your Secure Score may say MFA is enabled. The threat landscape says attackers have moved to the credentials, tokens, and session data that bypass MFA entirely.
What Financial Institutions Actually Need
Financial institution IT teams need a security operating model that answers three questions every day:
- What changed since yesterday? New risks, policy modifications, enrollment gaps, device compliance changes.
- What should we fix first? Prioritized by actual risk to the institution, not by Secure Score point value.
- Can we prove it to our regulators? Evidence that maps to GLBA, FFIEC, NCUA, FTC Safeguards Rule, and state requirements.
Secure Score partially answers question two. Guardian Security Insights answers all three. For financial institutions navigating both the FFIEC's shift to NIST CSF 2.0 and an accelerating threat landscape, a metric without operational context is not a security program.
How Guardian Security Insights Goes Beyond the Score
Category-Level Visibility with Operational Context
Guardian Security Insights breaks Secure Score into its four components (Identity, Data, Devices, Apps) and adds operational context to each. A score of 75% in Identity means something different depending on whether the remaining 25% is legacy authentication (critical risk) or a cosmetic setting like login page branding (minimal risk).
For each category, Guardian Security Insights shows:
- Current score and 30/60/90-day trend
- Specific unimplemented actions ranked by actual risk, not point value
- Estimated effort and impact for each action
- Regulatory mapping (which framework requires this control)
Your IT team sees the same data Microsoft provides, organized by what matters to a regulated financial institution instead of what matters to Microsoft's scoring algorithm.
MFA Coverage That Tells the Truth
Secure Score checks whether MFA is "enabled." Guardian Security Insights checks whether MFA is completed. The distinction matters enormously.
A user who started MFA registration but never finished shows as "enabled" in the Microsoft admin portal and counts toward your Secure Score. But that user has no second factor protecting their account. They are as vulnerable as someone with no MFA at all. As device code phishing and adversary-in-the-middle attacks grow, the gap between MFA-registered and MFA-enforced has real consequences.
Guardian Security Insights identifies every user in this gap state. For the financial institutions ABT manages, this gap typically affects 5-15% of the user base at any given time. Those users are the ones attackers will find first.
Stale Account Detection That Connects to Cost
Secure Score does not track stale accounts. Guardian Security Insights does. An account that has not been used in 90 days is a risk (credentials can be compromised without anyone noticing) and a cost (the license is still being paid for).
For a 300-user financial institution, stale accounts typically sit at 8-12% of the user base. That's 24 to 36 accounts nobody is using, and the institution is still paying for all of them. At $22 per user per month for Business Premium, that's $6,336 to $9,504 per year in licenses tied to inactive accounts that are also security liabilities (dormant credentials get compromised without anyone noticing).
Guardian Security Insights surfaces stale accounts in the nightly scan with the specific account names, last login dates, and assigned licenses. Your team can disable the accounts and reclaim the licenses in the same action.
Device Compliance Beyond Enrollment
Secure Score measures whether Intune is configured. Guardian Security Insights measures whether devices are actually compliant. A tenant with Intune enabled but 40% of devices failing compliance checks looks good on Secure Score and terrible on the ground.
Guardian Security Insights tracks device compliance rates daily. It identifies devices running outdated operating systems, missing encryption, or failing to report to Intune. For financial institutions where every device accesses member or customer data, device compliance is not optional. Running a structured Entra ID security assessment reveals the specific gaps that Intune enrollment counts do not surface.
Compliance Evidence as a Byproduct
The FFIEC retired its Cybersecurity Assessment Tool in August 2025. The NCUA updated its ACET to align with NIST Cybersecurity Framework 2.0. State regulators like NYDFS have their own requirements. The FTC Safeguards Rule applies to every financial institution handling consumer data.
Guardian Security Insights does not require a separate compliance reporting workflow. The same nightly scans that detect MFA gaps and stale accounts produce the evidence your auditor needs. MFA enforcement logs map to access control requirements. Device compliance records map to endpoint protection requirements. Conditional Access policies map to data protection requirements.
When the examiner asks "show me proof that MFA is enforced for all users accessing sensitive data," you pull the report from yesterday's Guardian Security Insights scan. You do not spend three days building a spreadsheet. Institutions with mature M365 data loss prevention configurations find their Guardian evidence package is already aligned to examiner expectations.
ABT manages 750+ financial institution Microsoft 365 tenants on Guardian, serving credit unions, banks, and mortgage companies. Inside that managed footprint, MFA enforcement gaps get closed in the first 30-day scan cycle. Guardian Security Insights surfaces registration-started-but-not-completed users the night they appear, and the remediation is a one-pane workflow. The wider FI market tells a different story. In the prospective-client tenants we assess before onboarding, most institutions score in the 30-60% range on the Identity category and have a meaningful share of their user population stuck in incomplete MFA registration states that Secure Score's percentage quietly obscures. Microsoft's February 2026 mandate requiring MFA for all Microsoft 365 admin center access accelerated remediation on the admin side, but the end-user registration gap is where identity risk actually lives, and where Guardian Security Insights does its most visible work on the institutions we bring into the managed footprint.
Source: ABT Security Grade Assessments across pre-onboarding financial institution tenants (2024-2026); Microsoft MFA admin mandate effective February 2026
Your Secure Score Says Green. Your Auditor Disagrees.
90% of organizations have MFA enabled. Only a fraction have automated enforcement that catches registration-started-but-not-completed users, token replay attacks, and service accounts using app passwords that bypass MFA entirely. A Security Grade Assessment shows what's behind the number.
The Credential Crisis Scores Can't See
The threat landscape has shifted underneath point-in-time scoring. While Secure Score rewards MFA enablement, attackers have moved to credential harvesting at industrial scale.
IBM X-Force Threat Intelligence Index 2026 found infostealers harvested credentials at unprecedented scope, including over 300,000 AI service account credentials advertised on dark web markets in 2025 alone. Organizations worldwide faced an average of 1,968 cyberattacks per week in 2025, a 70% increase since 2023. Valid account credentials remained a top-two initial access vector, accounting for 32% of all tracked intrusions in the year.
For credit unions, banks, and mortgage companies, this means the MFA checkbox in Secure Score is necessary but nowhere near sufficient. The question isn't "Is MFA enabled?" The questions are:
- Are any users stuck in registration-started-but-not-completed MFA states?
- Are Conditional Access policies catching token replay and adversary-in-the-middle attacks?
- Are former employees' credentials still active in the tenant?
- Are service accounts using app passwords that bypass MFA entirely?
- Are devices accessing the tenant from IP ranges that should be blocked?
Guardian Security Insights answers these questions in its nightly scan. Secure Score doesn't ask them.
The 90% Target and Why It Matters
ABT targets 90% or higher Secure Score across all four categories for every managed tenant. Most financial institutions start between 35% and 55%.
The 90% target is not arbitrary. It represents a posture where:
- Legacy authentication is blocked (stops 99% of password spray attacks)
- MFA is fully enrolled for all users (not just registered)
- All devices meet compliance policies
- DLP policies protect sensitive data types
- Email authentication (SPF/DKIM/DMARC) prevents spoofing
- Conditional Access restricts access by location, device, and risk level
The remaining 10% typically consists of controls that require trade-offs: settings that would break specific workflows, controls that duplicate coverage from other tools, or Microsoft recommendations that do not apply to the institution's environment.
Cyber insurance carriers now factor Secure Score into underwriting. Demonstrating 90%+ in MFA and Data Protection can reduce premiums. Guardian Security Insights gives your CFO the documentation to make that case during renewal negotiations.
"Financial services was the most-breached industry for the second consecutive year in 2025. The institutions that survived without headline-making incidents weren't the ones with the highest scores. They were the ones with actual security programs."
Analysis based on ITRC 2025 Annual Data Breach Report
From Score to Security Program
Secure Score is a number. A security program is a discipline. The difference shows up in how your institution handles the unexpected.
When a new vulnerability is disclosed, a score-focused team checks whether it affects their Secure Score. A program-focused team checks whether it affects their users, their data, and their compliance posture. Guardian Security Insights provides the visibility for the second approach.
When a vendor is breached, a score-focused team has no immediate action items. A program-focused team checks their Conditional Access policies, reviews third-party application permissions, and verifies that the breach did not affect their tenant. Guardian Security Insights surfaces this information without requiring your team to know where to look.
When a regulator updates their requirements, a score-focused team starts a new compliance project. A program-focused team checks their existing controls against the new requirements and finds they already meet most of them because they built the program on fundamentals, not point-chasing.
ABT's Architecture Advantage
ABT runs a pure Microsoft technology stack. No ConnectWise. No Kaseya. No SolarWinds. No third-party MSP platforms. Guardian Security Insights is built on the same Microsoft tools your institution already licenses: Entra ID, Intune, Defender, Purview, and Sentinel.
This matters for going beyond Secure Score because the data sources are native. Guardian Security Insights reads directly from Microsoft's APIs. There is no translation layer, no third-party data warehouse, no secondary sync that introduces lag or data loss. The findings are as current as the data in your tenant.
ABT serves 750+ financial institutions. That scale means the Guardian team has tuned its scanning, prioritization, and remediation guidance across thousands of tenants. The recommendations your team receives are informed by patterns across the largest financial institution MSP client base in the market, not generic guidance drawn from cross-industry averages.
Your Score Is Not Your Security
A number on a dashboard tells you where you stand. A managed security program tells you where you're going and how to get there. See what Guardian Security Insights reveals about your Microsoft 365 environment that Secure Score can't.
Frequently Asked Questions
Secure Score measures implementation of Microsoft's recommended actions, not regulatory requirements. No regulator accepts Secure Score as compliance evidence. GLBA, FFIEC, NCUA, and state regulators require specific controls with documented evidence. Guardian Security Insights maps nightly scan results to these regulatory frameworks, turning security monitoring data into audit-ready compliance documentation.
ABT targets 90% or higher across all four Secure Score categories for every managed tenant. Most financial institutions start between 35% and 55%. The 90% target represents full legacy auth blocking, complete MFA enrollment, device compliance enforcement, active DLP policies, and Conditional Access enforcement. Cyber insurance carriers factor Secure Score into underwriting decisions.
Secure Score counts users as MFA-enabled once registration begins. Guardian Security Insights distinguishes between MFA-registered and MFA-enrolled. Users who started setup but never completed the second factor appear compliant in Microsoft dashboards while remaining unprotected. Guardian Security Insights identifies this gap in nightly scans, typically affecting 5-15% of users in financial institution tenants.
The FFIEC retired its Cybersecurity Assessment Tool in August 2025 and directed institutions to NIST Cybersecurity Framework 2.0. The NCUA released an updated ACET aligned with the same framework for credit unions. Financial institutions must now assess against NIST CSF 2.0 standards. Guardian Security Insights produces evidence mapped to this framework from its nightly monitoring operations.
Yes. Cyber insurance carriers use Secure Score data during underwriting. Demonstrating high scores in MFA enforcement and Data Protection categories can reduce premiums. Guardian Security Insights tracks Secure Score trends with 30/60/90-day history and produces documentation that CFOs can present during insurance renewal negotiations to demonstrate security posture improvements over time.
