Beyond Microsoft Secure Score: Building a Security Program for Financial Institutions

Microsoft Secure Score tells you 62%. Your board hears "passing grade." Your auditor hears "38% of recommended security controls are not implemented." Same number, two completely different conclusions. This disconnect is where financial institutions get into trouble.

Secure Score is a useful starting point. It is not a security strategy. It grades on a curve. It rewards easy wins over hard controls. It does not map to the regulatory frameworks that govern banks, credit unions, and financial institutions. And it does not tell you whether your institution is actually protected against the threats that matter.

Guardian Security Insights starts where Secure Score stops. It uses the score as one input among many, sets a 90%+ target across all four categories, and wraps the number in operational context that turns a metric into a security program.

The Problem with Grading on a Curve

Microsoft Secure Score calculates a percentage based on how many recommended actions your tenant has implemented across four categories: Identity, Data, Devices, and Apps. It sounds straightforward. The problems are in the details.

The Score Rewards Low-Hanging Fruit

Some Secure Score actions are worth more points than others. But the weighting does not always reflect actual risk. An institution can reach 65% by implementing a dozen easy changes while leaving the hard ones (device compliance, DLP enforcement, Conditional Access for all users) untouched. The score goes up. The actual risk stays the same.

The Comparison Is Misleading

Microsoft shows how your score compares to "similar organizations." But "similar" is based on tenant size and industry, not regulatory profile. A community bank holding member Social Security numbers and loan data has a different threat model than a marketing agency with the same number of users. The comparison creates false comfort.

The Score Does Not Map to Compliance

No regulator accepts Secure Score as compliance evidence. The FFIEC examination handbook, GLBA Safeguards Rule, NCUA ACET, and state regulators all require specific controls documented with specific evidence. Secure Score measures Microsoft's recommended actions, not your regulator's required controls. The overlap is significant but not complete.

The Score Is a Snapshot, Not a Trend

Secure Score shows today's number. It does not show last Tuesday's number, or the fact that someone created a Conditional Access exclusion on Wednesday that dropped your Identity score by 8 points. Without trend data and change tracking, a good score today can mask a deteriorating trajectory.

What Financial Institutions Actually Need

Financial institution IT teams need a security operating model that answers three questions every day:

1. What changed since yesterday? New risks, policy modifications, enrollment gaps, device compliance changes.
2. What should we fix first? Prioritized by actual risk to the institution, not by Secure Score point value.
3. Can we prove it to our regulators? Evidence that maps to GLBA, FFIEC, NCUA, FTC Safeguards Rule, and state requirements.

Secure Score partially answers question two. Guardian Security Insights answers all three.

How Guardian Security Insights Goes Beyond the Score

Category-Level Visibility with Operational Context

Guardian Security Insights breaks Secure Score into its four components (Identity, Data, Devices, Apps) and adds operational context to each. A score of 75% in Identity means something different depending on whether the remaining 25% is legacy authentication (critical risk) or a cosmetic setting like login page branding (minimal risk).

For each category, Guardian Security Insights shows:

• Current score and 30/60/90-day trend
• Specific unimplemented actions ranked by actual risk, not point value
• Estimated effort and impact for each action
• Regulatory mapping (which framework requires this control)

Your IT team sees the same data Microsoft provides, organized by what matters to a regulated financial institution instead of what matters to Microsoft's scoring algorithm.

MFA Coverage That Tells the Truth

Secure Score checks whether MFA is "enabled." Guardian Security Insights checks whether MFA is completed. The distinction matters enormously.

A user who started MFA registration but never finished shows as "enabled" in the Microsoft admin portal and counts toward your Secure Score. But that user has no second factor protecting their account. They are as vulnerable as someone with no MFA at all.

Guardian Security Insights identifies every user in this gap state. For the financial institutions ABT manages, this gap typically affects 5-15% of the user base at any given time. Those users are the ones attackers will find first.

Stale Account Detection That Connects to Cost

Secure Score does not track stale accounts. Guardian Security Insights does. An account that has not been used in 90 days is a risk (credentials can be compromised without anyone noticing) and a cost (the license is still being paid for).

For a financial institution with 300 users, stale accounts typically represent 8-12% of the user base. At $22 per user per month for Business Premium licensing, that is $7,920 to $9,504 per year in wasted licenses attached to accounts that are security liabilities.

Guardian Security Insights surfaces stale accounts in the nightly scan with the specific account names, last login dates, and assigned licenses. Your team can disable the accounts and reclaim the licenses in the same action.

Device Compliance Beyond Enrollment

Secure Score measures whether Intune is configured. Guardian Security Insights measures whether devices are actually compliant. A tenant with Intune enabled but 40% of devices failing compliance checks looks good on Secure Score and terrible on the ground.

Guardian Security Insights tracks device compliance rates daily. It identifies devices running outdated operating systems, missing encryption, or failing to report to Intune. For financial institutions where every device accesses member or customer data, device compliance is not optional.

Compliance Evidence as a Byproduct

The FFIEC retired its Cybersecurity Assessment Tool in August 2025. The NCUA updated its ACET to align with NIST Cybersecurity Framework 2.0. State regulators like NYDFS have their own requirements. The FTC Safeguards Rule applies to every financial institution handling consumer data.

Guardian Security Insights does not require a separate compliance reporting workflow. The same nightly scans that detect MFA gaps and stale accounts produce the evidence your auditor needs. MFA enforcement logs map to access control requirements. Device compliance records map to endpoint protection requirements. Conditional Access policies map to data protection requirements.

When the examiner asks "show me proof that MFA is enforced for all users accessing sensitive data," you pull the report from yesterday's Guardian Security Insights scan. You do not spend three days building a spreadsheet.

The Credential Crisis Scores Can't See

The threat landscape has shifted underneath point-in-time scoring. While Secure Score rewards MFA enablement, attackers have moved to credential harvesting at industrial scale.

IBM X-Force found 800 million potential credential pairs available on the dark web. Check Point documented a 160% surge in compromised credentials throughout 2025 compared to 2024. Valid account credentials and exploitation of public-facing applications each accounted for 30% of all initial access in 2024 — tied for the most common entry point.

For banks and credit unions, this means the MFA checkbox in Secure Score is necessary but nowhere near sufficient. The question isn't "Is MFA enabled?" The questions are:

• Are any users stuck in registration-started-but-not-completed MFA states?
• Are Conditional Access policies catching token replay and adversary-in-the-middle attacks?
• Are former employees' credentials still active in the tenant?
• Are service accounts using app passwords that bypass MFA entirely?
• Are devices accessing the tenant from IP ranges that should be blocked?

Guardian Security Insights answers these questions in its nightly scan. Secure Score doesn't ask them.

The 90% Target and Why It Matters

ABT targets 90% or higher Secure Score across all four categories for every managed tenant. Most financial institutions start between 35% and 55%.

The 90% target is not arbitrary. It represents a posture where:

• Legacy authentication is blocked (stops 99% of password spray attacks)
• MFA is fully enrolled for all users (not just registered)
• All devices meet compliance policies
• DLP policies protect sensitive data types
• Email authentication (SPF/DKIM/DMARC) prevents spoofing
• Conditional Access restricts access by location, device, and risk level

The remaining 10% typically consists of controls that require trade-offs: settings that would break specific workflows, controls that duplicate coverage from other tools, or Microsoft recommendations that do not apply to the institution's environment.

Cyber insurance carriers now factor Secure Score into underwriting. Demonstrating 90%+ in MFA and Data Protection can reduce premiums. Guardian Security Insights gives your CFO the documentation to make that case during renewal negotiations.

"Financial services was the most-breached industry for the second consecutive year in 2025. The institutions that survived without headline-making incidents weren't the ones with the highest scores. They were the ones with actual security programs."

Analysis based on ITRC 2025 Annual Data Breach Report

From Score to Security Program

Secure Score is a number. A security program is a discipline. The difference shows up in how your institution handles the unexpected.

When a new vulnerability is disclosed, a score-focused team checks whether it affects their Secure Score. A program-focused team checks whether it affects their users, their data, and their compliance posture. Guardian Security Insights provides the visibility for the second approach.

When a vendor is breached, a score-focused team has no immediate action items. A program-focused team checks their Conditional Access policies, reviews third-party application permissions, and verifies that the breach did not affect their tenant. Guardian Security Insights surfaces this information without requiring your team to know where to look.

When a regulator updates their requirements, a score-focused team starts a new compliance project. A program-focused team checks their existing controls against the new requirements and finds they already meet most of them because they built the program on fundamentals, not point-chasing.

ABT's Architecture Advantage

ABT runs a pure Microsoft technology stack. No ConnectWise. No Kaseya. No SolarWinds. No third-party MSP platforms. Guardian Security Insights is built on the same Microsoft tools your institution already licenses: Entra ID, Intune, Defender, Purview, and Sentinel.

This matters for going beyond Secure Score because the data sources are native. Guardian Security Insights reads directly from Microsoft's APIs. There is no translation layer, no third-party data warehouse, no secondary sync that introduces lag or data loss. The findings are as current as the data in your tenant.

ABT serves 750+ financial institutions. That scale means the Guardian team has tuned its scanning, prioritization, and remediation guidance across thousands of tenants. The recommendations your team receives are not generic best practices. They are informed by patterns across the largest financial institution MSP client base in the market.