In This Article
- Why a High Secure Score Still Leaves You Exposed
- What Continuous Monitoring Looks Like in Practice
- The Compliance Clock Is Tightening on Every Charter
- How Mason-McDuffie Mortgage Rebuilt Its Security Posture
- What Guardian Security Insights Delivers
- Your 90-Day Continuous Monitoring Action Plan
- Frequently Asked Questions
A point-in-time security assessment tells you how your environment looked on the day someone checked. It says nothing about the six weeks that follow. A stale account lingers after an employee leaves. A new hire never finishes multifactor authentication enrollment. A Conditional Access policy gets switched off during a troubleshooting call and never switched back on. For a bank, a credit union, or a mortgage company, those quiet gaps are exactly where an attacker gets in.
Continuous security monitoring closes those gaps before they become incidents. It is the difference between knowing your security posture today and assuming it still matches an audit you passed last quarter. And in financial services, where regulators across every charter type are compressing breach-reporting windows by the year, the margin for "good enough" security is gone.
The World Economic Forum's Global Cybersecurity Outlook 2026, a survey of 804 global business and security leaders, found that 68 percent now name third-party service providers as their organization's weakest security link. For credit unions, banks, and mortgage companies that run on a stack of vendors and a shared Microsoft 365 tenant, that finding lands close to home. The institutions that stay ahead are the ones watching their own environment every single day.
The Detection Gap
According to IBM's 2025 Cost of a Data Breach Report, the global average time to identify and contain a breach is 241 days. That is the lowest figure in nine years, and it is still eight months. An attacker who slips into a financial institution's environment in January may not be discovered until September. For organizations handling Social Security numbers, account data, and tax records under strict regulatory timelines, 241 days is an eternity.
Why a High Secure Score Still Leaves You Exposed
Many organizations score far lower on Microsoft Secure Score than they assume, and most financial institutions that ABT meets on a first assessment sit below 40 percent. But here is the uncomfortable truth: even an institution that pushes its score past 75 percent can still be wide open.
Microsoft Secure Score is configuration-centric. It tells you a control is recommended and whether it is set up, but it is an incomplete measure of whether that control is actually enforced, whether every user completed enrollment, or whether someone quietly disabled it last Tuesday during a support call. Our deeper look at this gap, Beyond Secure Score, walks through why a single number was never meant to be a security program.
Here are four gaps a static score routinely hides:
- MFA registration gaps. Many organizations enable MFA as a policy but never confirm that every account actually completed enrollment. Microsoft shows a green checkmark on the policy; it does not flag the users who never finished registering. Those accounts are one phished password away from compromise.
- Stale accounts and orphaned access. Privileged accounts frequently sit dormant for months after staff turnover. Former employees, shared mailboxes, and service accounts that nobody owns become backdoors that credential-stuffing attacks walk straight through.
- Configuration drift. An IT team disables a Conditional Access policy to troubleshoot a login issue. Nobody re-enables it. The Secure Score may not even drop, because the policy still "exists" on paper. The protection is gone, but the dashboard says everything is fine.
- Human error compounds everything. Industry analyses consistently trace the majority of cloud security gaps to human error and misconfiguration rather than software flaws. A single manual change, an exclusion added or a setting toggled, can undo months of hardening overnight.
Secure Score is a starting point. It is not proof that your environment is actually protected. The gap between what a dashboard says and what an attacker sees is exactly where breaches happen.
| What Secure Score Shows | What It Misses | The Real Risk |
|---|---|---|
| MFA policy enabled | Users who never completed enrollment | Unenrolled accounts stay exposed to takeover |
| Conditional Access configured | Policies disabled mid-troubleshoot and never restored | Silent bypasses accumulate between audits |
| Device compliance set | Unmanaged devices outside device-compliance controls | Shadow endpoints slip past device-based policies |
| Score reads 75% | Privileged accounts dormant since the last departure | Credential-stuffing backdoors |
| All policies marked active | Manual changes that quietly undo hardening | Misconfiguration is a leading breach cause |
Microsoft 365 already generates the signal a financial institution needs to spot these gaps: Microsoft Entra ID provides extensive sign-in and audit logging, Microsoft Intune tracks device compliance, and Microsoft Purview records data access and sharing. The problem is that those signals live in different admin centers and tell you what changed, not what to do about it. As a Tier 1 Microsoft Cloud Solution Provider managing Microsoft 365 tenants for more than 750 financial institutions, ABT turns that native telemetry into a single, prioritized view, so a credit union or a community bank acts on a finding the same day instead of discovering it during the next exam.
Source: Microsoft Entra, Intune, and Purview product documentation; ABT managed-tenant practice, 2026.
What Continuous Monitoring Looks Like in Practice
ABT built Guardian Security Insights to surface what Microsoft does not show by default. It pulls data from your Microsoft 365 tenant every night. No manual scripts. No digging through nested admin menus.
The result is a set of prioritized findings your IT team can act on immediately:
- Users who have MFA "enabled" but never registered. This is the single most common hidden risk in financial-institution tenants. Guardian flags them by name.
- Devices not enrolled in Microsoft Intune. Unmanaged endpoints fall outside device-compliance Conditional Access controls, so a policy that assumes a managed, compliant device cannot do its job.
- Accounts inactive for 30, 60, or 90 days. Stale accounts are low-hanging fruit for credential-stuffing attacks, and turnover at a busy branch or loan office creates them constantly.
- External sharing anomalies. Who shared what, with whom, and when. Microsoft Purview data-loss-prevention violations surface automatically.
Every finding comes with a recommended action. No guesswork. For institutions standardizing this across many users, our Microsoft 365 security checklist for credit unions maps the same controls to a repeatable cadence.
The gap between what your security dashboard shows and what an attacker actually sees is where breaches live. Continuous monitoring closes that gap every 24 hours.
The Compliance Clock Is Tightening on Every Charter
Whatever your charter, your regulator has compressed the window between detecting an incident and reporting it. The numbers have converged, and they are short.
For banks, the federal banking agencies (the OCC, the Federal Reserve, and the FDIC) require notification of a qualifying computer-security incident within 36 hours of determining it occurred. That rule has been in effect since May 2022, and it set the standard the rest of the sector now follows. Bank service providers carry their own duty to notify customer banks when a covered service is disrupted for four or more hours.
For credit unions, the NCUA's cyber incident reporting rule, effective September 1, 2023, requires notification within 72 hours of forming a reasonable belief that a reportable incident has occurred, including an incident reported by a third-party vendor.
For mortgage companies, the requirements stack. HUD's Mortgagee Letter 2024-10 requires FHA-approved lenders to report a reportable cyber incident within 12 hours of detection, one of the tightest windows in all of financial services. Fannie Mae adds its own information-security and incident-reporting requirements for sellers and servicers, including prompt breach notification and annual security attestation. And the FTC Safeguards Rule requires non-banking lenders to implement continuous monitoring, or annual penetration testing plus semi-annual vulnerability assessments, and to notify the FTC within 30 days of discovering an event involving 500 or more consumers.
Layer on the NYDFS Cybersecurity Regulation, whose universal multifactor authentication requirement took effect in late 2025 for institutions doing business in New York, and the pattern is unmistakable. You cannot satisfy a 36-hour clock with a quarterly spot-check.
The Marquis breach is the clearest recent argument for watching your own environment continuously. The vendor, which serves credit unions and banks, was breached once; the fallout, exposed Social Security numbers, tax IDs, and account data, landed on dozens of financial institutions that had no visibility into the vendor's posture. We broke down the lessons in our analysis of the Marquis breach and vendor risk.
Incident-Reporting Windows Financial Institutions Cannot Miss
Federal banking agencies (OCC, Fed, FDIC): 36-hour notification for qualifying incidents, in effect since May 2022.
NCUA (credit unions): 72-hour notification, effective since September 2023.
HUD ML 2024-10 (FHA lenders): 12-hour reportable-incident notification.
Fannie Mae: information-security requirements plus annual attestation for sellers and servicers.
FTC Safeguards Rule: continuous monitoring or annual penetration test plus semi-annual assessments; 30-day notice for events involving 500+ consumers.
NYDFS Part 500: universal MFA in effect since late 2025.
How Mason-McDuffie Mortgage Rebuilt Its Security Posture
Mason-McDuffie Mortgage (MasonMac) started with a Microsoft Secure Score of 32 percent. Manual checks and custom PowerShell scripts overwhelmed the IT team, and critical gaps went undetected for months. The same story plays out at community banks and credit unions running lean IT teams against the same Microsoft 365 surface.
After implementing Guardian Security Insights, MasonMac saw measurable results:
- Secure Score improved from 32 percent to more than 90 percent within six months
- IT identified users who appeared MFA-protected but had never completed registration
- Monthly executive reports gave leadership clear visibility into security progress
- Nightly automated data pulls replaced fragile manual PowerShell scripts
Clinton Weyland, VP of IT at MasonMac, put it plainly:
Guardian Security Insights gave us the visibility and insights we needed to make informed decisions quickly. The continual monitoring and regular reports were game-changers for our IT team and leadership.
What Would Nightly Monitoring Uncover in Your Tenant?
MasonMac went from a 32 percent Secure Score to more than 90 percent in six months. The first step was seeing what manual checks were missing.
What Guardian Security Insights Delivers
Guardian Security Insights is part of ABT's Guardian operating model. It sits on top of your existing Microsoft 365 environment and extracts signal that native tooling leaves buried. ABT manages this approach for more than 750 financial institutions on a pure Microsoft stack.
Nightly Automated Pulls
Data comes directly from your tenant. No agents to install. No third-party platforms to maintain. ABT manages your Microsoft 365 tenant as your Cloud Solution Provider, so the monitoring runs on infrastructure you already own.
BI-Style Dashboards
IT teams get prioritized to-do lists. Executives get board-ready summaries. Both views come from the same data set, so the conversation between the server room and the boardroom finally uses one source of truth.
Historical Trend Tracking
See how your posture improved month over month. Prove return on investment to your board. Show examiners a documented trajectory instead of a single snapshot.
Deeper MFA and Identity Analysis
Standard Microsoft reports show policy status. Guardian shows actual enrollment, completion rates, and the at-risk accounts that fall through the cracks, the difference between a control that exists and a control that protects. For the regulatory mapping behind it, see our guide to Microsoft 365 and regulatory compliance for financial institutions.
Your 90-Day Continuous Monitoring Action Plan
Whether you deploy Guardian or build your own monitoring practice, here is a practical timeline that works for a bank, a credit union, or a mortgage company:
Days 1-30: Visibility
Start by seeing everything. Deploy nightly data pulls from your Microsoft 365 tenant. Catalog every user, device, and policy. Document MFA registration status, Microsoft Intune device-enrollment gaps, and stale accounts. Establish your baseline Secure Score and write down exactly what it does not measure.
Days 31-60: Remediation
Close the gaps your baseline uncovered. Enforce MFA registration for every account. Disable stale accounts. Enroll unmanaged devices in Microsoft Intune. Fix Conditional Access exclusions. Track progress weekly against your baseline so leadership sees the curve bending.
Days 61-90: Governance
Build recurring reporting for IT and executive leadership. Set thresholds for automatic alerts on configuration drift. Document the monitoring process itself so it becomes examiner-ready evidence. Establish the cadence that keeps your posture from quietly regressing the moment attention moves elsewhere.
Frequently Asked Questions
Periodic assessments capture a snapshot on a single day. Continuous monitoring pulls data from your Microsoft 365 tenant every night, detecting configuration drift, new stale accounts, and MFA registration gaps as they appear. This daily cadence means your IT team acts on findings within hours instead of discovering problems weeks or months later during an audit.
Banks must notify their federal regulator (the OCC, Federal Reserve, or FDIC) within 36 hours of determining a qualifying computer-security incident occurred, a rule in effect since May 2022. Credit unions must notify the NCUA within 72 hours, effective since September 2023. FHA-approved mortgage lenders must report within 12 hours under HUD Mortgagee Letter 2024-10, and Fannie Mae sellers and servicers carry their own information-security and breach-notification requirements. Continuous monitoring is what makes meeting these short windows realistic.
Microsoft Secure Score measures whether a control is configured, not whether it is enforced. Continuous monitoring catches configuration drift between reviews, newly created stale accounts from staff turnover, MFA registrations that were started but never completed, and Conditional Access exclusions added as temporary fixes that quietly became permanent. It detects these changes within 24 hours, which matters because attackers scan for exactly these transient gaps.
ABT's Guardian Security Insights connects directly to your existing Microsoft 365 tenant. There are no agents to install and no third-party platforms to configure. Most institutions begin receiving nightly automated reports within the first week. The full Guardian hardening process, which addresses the vulnerabilities those reports surface, typically runs as a 90-day sprint across visibility, remediation, and governance.
Marquis Software Solutions, a Texas-based provider serving credit unions and banks, detected a breach in August 2025. The officially confirmed figure, disclosed by the Maine Attorney General in March 2026, is 672,075 individuals affected across at least 74 financial institutions, with exposed data including Social Security numbers, tax IDs, and financial account information. It is a textbook case of a single third-party vendor compromise cascading across dozens of institutions, and a reminder that you can only fully control the monitoring of your own environment.
No. Continuous monitoring builds on the Microsoft 365 controls you already license. Microsoft Entra ID supplies identity and sign-in signal, Microsoft Intune supplies device compliance, and Microsoft Purview supplies data access and sharing activity. Guardian Security Insights reads that native telemetry and turns it into prioritized, plain-language findings. You are operationalizing tools you already pay for, not buying a parallel security stack.
Stop Guessing. Start Monitoring.
Regulators across every charter are tightening incident-reporting windows to 36 and 72 hours. Third-party breaches like Marquis are cascading across dozens of institutions at once. ABT manages Microsoft 365 for more than 750 financial institutions with Guardian Security Insights, the same approach that took MasonMac from a 32 percent Secure Score to more than 90 percent.
