IT Security Tools

Your Security Score Is High, But Your Business Is Still at Risk

Justin Kirsch | | 7 min read
Your Security Score Is High, But Your Business Is Still at Risk
IT Security Tools IT Risk Management Cybersecurity Excellence

What You'll Learn

We run security assessments for financial institutions every week. Credit unions, community banks, mortgage companies, insurance firms. The ones that worry us most aren't the organizations with low scores. They're the ones with high scores and the confidence that comes with them.

A high Microsoft Secure Score creates a dangerous illusion. The dashboard says 78%. Leadership sees green. IT moves on to other priorities. Meanwhile, personal phones are reading member data without mobile management. Three service accounts bypass MFA entirely. And the Conditional Access policy that was supposed to block legacy authentication has an exception list nobody has reviewed in over a year.

Those are Microsoft Secure Score gaps that don't show up on the dashboard. And those are the gaps that attackers and examiners find first.

Your Scorecard Isn't Your Security

Security scores measure what's easy to count. They don't measure everything that matters. Across hundreds of financial institution assessments, we routinely find three categories of security score blind spots hiding behind impressive dashboards:

  • Unprotected personal devices. Personal phones and tablets reading sensitive email, accessing documents, and clicking links without any mobile security controls. No app protection policies. No device compliance checks. Raw access to regulated data on unmanaged hardware.
  • Policy exceptions that became permanent. Service accounts, legacy application integrations, and "temporary" Conditional Access bypasses that nobody cleaned up. Each one is a door left open. We've seen bypass lists grow to 15-20 accounts before anyone noticed.
  • MFA enforcement gaps. Accounts that slipped through enrollment and service accounts running without certificate-based authentication because nobody configured it. An attacker only needs one unprotected account to establish a foothold.

Attackers don't care about your aggregate score. They specialize in finding the one Conditional Access gap you forgot about. If you're questioning whether your score tells the whole story, building a security program that goes beyond the dashboard is where the real work starts. Your score won't chase exceptions, flag shadow BYOD, or catch the "temporary" workaround that became permanent. You have to look past the dashboard to see the real picture.

1,000+
password attacks every second — Microsoft observes more than 86 million identity-based attacks per day, and over 99.9% of compromised accounts did not have MFA enabled
Source: Microsoft Digital Defense Report 2024

Personal Devices Are the Unmanaged Back Door

BYOD in financial services often translates to "Bring Your Own Risk." When a personal phone accesses customer data, member records, or borrower documents with zero safeguards, you've created an undocumented attack surface that no security score flags.

Lose the phone? No selective wipe capability. Click a phishing link? You've handed an attacker a foothold into your environment. Because the device isn't managed, you won't see the compromise in your monitoring tools. The gap between zero trust architecture and actual device security is where most financial institutions are most exposed.

The NCUA's 2026 supervisory priorities explicitly call out vendor management and security frameworks as examination areas. Unmanaged devices accessing member data through your Microsoft 365 tenant are exactly the kind of gap that triggers findings.

Regulatory Context

CISA's Binding Operational Directive 25-01 mandates baseline security configurations for Microsoft 365, covering seven product areas including Entra ID, Exchange Online, SharePoint, Teams, and Defender. Federal agencies must implement these baselines within prescribed timelines. Financial institutions aren't directly subject to BOD 25-01, but FFIEC examiners increasingly reference CISA benchmarks as the expected standard of care for regulated entities.

Source: CISA BOD 25-01 — Implementation of Secure Cloud Business Applications (2025)

BYOD security for financial services doesn't mean banning personal devices. It means putting work data in a secure container and drawing a clear line between personal and organizational data. People stay productive. Regulated data stays protected. Nobody's personal photos get inspected. Simple, respectful, enforceable.

A Security Gap Is a Business Problem

A cybersecurity incident at a financial institution isn't an abstract IT problem. It's an operational crisis that hits immediately:

  • Credit unions: Core banking goes offline, members can't access accounts, the call center is overwhelmed, and the NCUA examiner wants an incident report within 72 hours. In the first year of mandatory incident reporting, credit unions reported 1,072 cyber incidents.
  • Mortgage companies: Loan funding freezes, rate locks expire, the pipeline stalls, and borrower notifications trigger state attorney general inquiries.
  • Community banks: Online banking goes down, wire transfers stop, business customers can't operate, and the OCC opens a supervisory review. A thorough M365 security audit catches these exposure points before examiners do.

One unmanaged phone or a single account without MFA enforcement can cascade into frozen operations, regulatory notifications, and the kind of public cleanup that erodes customer trust for years.

A managed IT provider built for regulated environments catches these gaps as part of normal operations. It is not about buying more tools. It is about closing the gaps your security score doesn't see.

What gaps is your Secure Score missing?

ABT's security assessment examines the blind spots dashboards miss — unmanaged devices, MFA gaps, stale policy exceptions — mapped to your regulatory obligations.

Get Your Security Grade Talk to an ABT Security Specialist

Cyber Insurance Carriers Are Watching Your Score

Cyber insurance underwriters have gotten aggressive about using Microsoft Secure Score data during the application process. Multi-factor authentication is now mandatory on nearly all cyber insurance policies, and Marsh McLennan's 2024 analysis found that 41% of cyber insurance applications were denied on first submission — with missing MFA and inadequate endpoint protection as the top reasons for rejection.

But here's the problem with relying on your score for insurance purposes: the same gaps that hide from your dashboard also hide from the score the carrier sees. If your Secure Score shows 82% but unmanaged personal devices are accessing regulated data without any mobile policies, you're presenting a risk profile to your insurer that doesn't match reality.

41%
of cyber insurance applications were denied on first submission in 2024 — missing MFA and inadequate endpoint protection are the leading causes of rejection
Source: Marsh McLennan 2024 Cyber Insurance Application Data

When a claim hits and the forensic investigation reveals unmanaged BYOD access or permanent MFA exceptions, that discrepancy between reported posture and actual posture becomes a coverage dispute. Financial institutions need their actual security posture to match what the dashboard reports. Coalition's 2024 Cyber Threat Index found that 82% of cyber insurance claims involved organizations that had not fully implemented MFA — making it the single largest controllable risk factor in claim outcomes.

The Fix That Earns Trust Before Demanding It

Our approach to mobile device security compliance is deliberately boring. It works, people accept it, and it doesn't wreck productivity. Here's how it rolls out:

MAM first. Start with Mobile Application Management. Put your work apps and data inside a locked container on a personal phone. Set a PIN for work apps, encrypt what's inside, block copy-paste to personal apps, and wipe the container remotely if the device is lost. The rest of the device stays untouched. No "IT can see my photos" concerns. No pushback from staff.

MDM when it makes sense. Once the container model is accepted, expand to Mobile Device Management for roles that require device-level controls. Enforce OS versions, encryption, screen lock requirements, jailbreak detection, and mobile threat defense. The process for building risk-based Intune device compliance starts simple and scales with your organization's readiness. Use MDM for high-risk roles, shared devices, or situations where native mail access is required. Adoption goes smoother because you earned trust first.

This staged approach works for credit unions with 100 employees and mortgage companies with 500 loan officers. It scales because it starts with the least invasive, highest-impact control.

Security Moves at the Speed of Leadership

Tools don't enforce themselves. The financial institutions that actually close their MFA enforcement gaps and BYOD exposure do three things consistently:

  • Set a date and mean it. A clear executive communication: "After this date, work data lives in a protected app or you don't get access." Friendly, firm, and privacy-conscious. No ambiguity.
  • Show the scoreboard. Monthly reviews tracking BYOD coverage, exception cleanup, and MFA completion rates. When leadership watches the numbers, the numbers improve. When they don't, nothing changes.
  • Make managers accountable. Give department leaders their team's compliance status, pre-written reminders, and office hours for help. "Everyone is responsible" isn't a motivational poster. It's a routing rule that puts follow-up where it belongs.

That's the difference between a security policy that lives in SharePoint and a program that actually protects your customers and your brand.

From Scorecard to Secure

Real security isn't the number on your dashboard. It's the absence of unmanaged back doors, lingering policy exceptions, and orphaned accounts. It's connecting those fixes to business outcomes: operations run on schedule, customers stay confident, examiners nod instead of writing findings, and insurance carriers see a risk profile that matches reality.

If your Microsoft Secure Score looks strong but something feels off, you're probably right. Start with the phone in everyone's pocket. Lock the data today, raise the device bar next, and let your leadership cadence turn policy into practice. That's how you turn "secure on paper" into secure in production. For credit unions looking for a structured starting point, a security program that goes beyond the basics builds this discipline into recurring operations.

See what your Secure Score isn't telling you

ABT's free Microsoft 365 Security Assessment examines the gaps that dashboards miss — unmanaged BYOD access, stale Conditional Access exceptions, MFA enforcement blind spots — mapped against your specific regulatory requirements.

Get a Free Security Assessment Talk to an ABT Security Specialist

Frequently Asked Questions

What are Microsoft Secure Score gaps that financial institutions commonly miss?

The most common Microsoft Secure Score gaps include unmanaged personal devices accessing regulated data, service accounts that bypass multi-factor authentication, Conditional Access policy exceptions that were never cleaned up, and legacy authentication protocols that remain enabled. These gaps do not reduce the aggregate score but create exploitable attack surfaces that examiners and attackers find first.

How can financial institutions secure BYOD devices without invading employee privacy?

Mobile Application Management creates a secure container for work apps and data on personal devices without managing the device itself. The organization controls the work container including encryption, PIN requirements, and remote wipe. Personal apps, photos, and browsing remain private and unmonitored. This balances BYOD security for financial services with employee privacy expectations.

How does Microsoft Secure Score affect cyber insurance premiums for financial institutions?

Cyber insurance carriers now use Microsoft Secure Score data during underwriting, particularly MFA and Data Protection metrics. Multi-factor authentication is mandatory on nearly all policies, and 41% of applications were denied on first submission in 2024 due to missing MFA or inadequate endpoint protection. Gaps hidden from the dashboard create a mismatch between reported and actual risk posture that can trigger coverage disputes after a claim.

What is the difference between MAM and MDM for mobile security in financial services?

Mobile Application Management controls work apps and data within a secure container on personal devices without managing the device itself. Mobile Device Management provides full device-level control including OS enforcement, encryption requirements, and threat detection. Most financial institutions deploy MAM first for broad coverage and employee trust, then add MDM for high-risk roles requiring device-level compliance checks.

How often should financial institutions review their Microsoft Secure Score?

Financial institutions should review their Microsoft Secure Score weekly at minimum with a deeper security assessment quarterly. The score itself should be treated as a starting point rather than a definitive measure. Weekly reviews should include exception list cleanup, MFA enrollment verification, Conditional Access policy validation, and BYOD compliance status. Annual point-in-time reviews are insufficient for regulatory expectations.

Justin Kirsch

CEO, Access Business Technologies

Justin leads ABT's security practice serving 750+ financial institutions. With over 25 years in regulated IT, he specializes in translating compliance requirements into practical security programs for banks, credit unions, and mortgage companies.