In This Article
- The Secure Score Trap
- What Secure Score Misses
- Why Secure Score Is Becoming a Business Requirement
- Going Beyond the Number
- From Score to Action: How the Microsoft Defender Stack Closes the Gaps
- M365 Guardian and Guardian Security Insights: ABT's Continuous-Improvement Framework
- Case Study: Mason-McDuffie Mortgage
- Frequently Asked Questions
Microsoft Secure Score tells you what percentage of recommended security actions your organization has taken. It is free. It is built into every Microsoft 365 tenant. And by itself, it gives you an incomplete picture of your actual security posture.
That matters more now than ever. Gartner predicts that by 2026, 50% of organizations will require real-time security scoring as a procurement criterion. Cyber insurance carriers already use Secure Score data during underwriting. And the Microsoft Security Intelligence Report found that organizations scoring above 80% experience 67% fewer security incidents.
The score is real. The risk of treating it as the whole story is also real.
The Secure Score Trap
A mortgage company checks their Secure Score and sees 70%. That looks passing. It sits above the industry average of 40% to 60% for mid-market companies. Leadership moves on to other priorities.
Here is the problem. Secure Score measures whether recommended actions are enabled. It does not measure whether they are working. Enabling MFA earns points. But if 15% of your accounts have not completed registration, MFA has a gap that the score does not show. See also our breakdown of Guardian Security Insights.
Secure Score also weights actions differently. Turning on MFA earns significantly more points than adjusting a SharePoint sharing policy. So a company can have a high score while leaving entire categories of risk unaddressed.
For mortgage companies handling borrower Social Security numbers, bank statements, and tax returns, the gaps between "enabled" and "enforced" are where breaches happen.
What Secure Score Misses
Microsoft documents this openly. Secure Score covers five pillars: identity, devices, apps, data, and cloud infrastructure. What it does not cover tells you just as much.
Stale and Orphaned Accounts
An employee leaves. Their account gets disabled in HR's system but stays active in Microsoft Entra ID because nobody ran the sync. That account does not show up as a Secure Score issue. But it is an open door for an attacker who finds the credentials.
Device Compliance Reality
Secure Score gives points for enabling Microsoft Intune device compliance policies. It does not tell you that 200 devices failed compliance last week and nobody followed up. The policy exists. The enforcement gap does not register.
Behavioral Anomalies
A loan officer logs in from California at 8 AM and from Eastern Europe at 8:15 AM. That impossible-travel event does not affect Secure Score. It shows up in Microsoft Defender logs, but only if someone is monitoring them. We cover Why Higher Standards Beat Microsoft Secure Score's Curve in a companion piece.
Third-Party Application Risk
OAuth consent grants are one of the fastest-growing attack vectors. A user grants a third-party app access to their mailbox. Secure Score does not flag it. The app reads every email containing borrower documents until someone notices.
Why Secure Score Is Becoming a Business Requirement
Despite its limitations, Secure Score is becoming unavoidable. LevelBlue's March 2025 analysis showed that the score is shifting from internal benchmark to external requirement:
- Cyber insurance: Carriers now check Secure Score during underwriting. Higher scores mean lower premiums. Some carriers verify that your stated MFA coverage matches your actual Secure Score history during claims.
- Vendor procurement: Large institutions and GSEs increasingly require minimum Secure Scores from vendors. A low score can disqualify your company from contracts.
- M&A due diligence: Acquirers check Secure Score as part of technology risk assessment. A weak score can delay or derail a deal.
- Regulatory direction: The FFIEC retired its manual Cybersecurity Assessment Tool in August 2025. The replacement guidance points toward continuous, automated security measurement. Secure Score fits that direction.
The score matters. But optimizing it without understanding what it does not measure creates a false sense of security.
Going Beyond the Number
A meaningful security posture assessment for mortgage companies needs to answer questions Secure Score does not:
- Are our security controls actually working? Not just enabled, but enforced across every account and device.
- Where are the gaps between systems? Identity says one thing. Device management says another. Which one reflects reality?
- Is our posture improving or drifting? A point-in-time score does not show trajectory. Monthly trends do.
- Can we prove compliance? GLBA, FTC Safeguards Rule, and state regulators want evidence of continuous monitoring, not a screenshot of a dashboard.
These questions require combining Secure Score data with operational reality. Automated. Continuous. Reported in a format that leadership and regulators can both understand.
From Score to Action: How the Microsoft Defender Stack Closes the Gaps
Microsoft Secure Score is a baseline. It tells you what is enabled in the Microsoft 365 tenant your mortgage company already pays for. The work that actually moves the needle happens in the Microsoft Defender stack and the surrounding Microsoft 365 security surface, where controls are not just enabled but actively closing the gaps the score does not measure. Microsoft Defender for Office 365 blocks the phishing and impersonation attempts that target loan officers handling borrower email. Microsoft Defender for Endpoint watches every laptop and workstation for indicators of compromise, then quarantines a device the moment something looks wrong. Microsoft Defender for Identity catches the behavioral anomalies (impossible travel, lateral movement, anomalous privilege escalation) that the score never sees. Microsoft Defender for Cloud Apps flags risky OAuth consent grants before they become the data exfiltration channel of the next breach. Microsoft Sentinel aggregates the signals from all of those products into a single incident timeline that a regulator will accept as evidence.
Microsoft built the surface. The question for a mortgage company is who runs it every day, who tunes the analytic rules to the patterns mortgage attackers actually use, and who turns the alerts into action while loan officers are closing files. The Secure Score moves up because the Defender stack moves first. That is the operating-model difference.
M365 Guardian and Guardian Security Insights: ABT's Continuous-Improvement Framework
Access Business Technologies has packaged the Microsoft 365 security operating model that 750+ financial institutions run on into M365 Guardian, the firm's productized framework for managing the Microsoft Defender stack, Microsoft Purview, Microsoft Entra ID, Microsoft Intune, and Microsoft Sentinel inside a regulated mortgage environment. Guardian is not a software product layered on top of Microsoft. It is the operating model that turns Microsoft's security surface into a managed security program: Conditional Access policies tuned to mortgage roles and branch geography, Defender deployments tuned to attacks mortgage companies actually see, Purview retention policies aligned to GLBA, FTC Safeguards, and state recordkeeping rules, and a 24/7 security operations center watching Sentinel signals every minute of the day. Our guide to Beyond Microsoft Secure Score goes deeper on this.
Guardian Security Insights is the continuous-improvement layer of that framework. It pulls Secure Score, device compliance, sign-in risk, MFA registration, and audit telemetry from every tenant ABT manages, weighs the signals against the gaps the Defender stack is closing this week, and produces a continuous trend line showing whether the firm's posture improved or drifted compared to the last 30, 60, and 90 days. The output is a monthly executive report a CFO can read in five minutes, a quarterly compliance attestation a CCO can hand to a regulator, and a nightly action queue a mortgage IT director can work through before the loan officers log in. That cadence is the productized version of the same continuous-monitoring posture FFIEC, NCUA, and state regulators are now expecting, applied across the 750+ financial institutions ABT manages Microsoft 365 tenants for.
See Your Microsoft Secure Score in Context
ABT runs the M365 Guardian operating model and the Guardian Security Insights continuous-improvement framework described in this article for 750+ financial institutions, including community banks, credit unions, and mortgage companies. A 30-minute conversation maps your current Microsoft Secure Score against the Defender, Purview, and Sentinel gaps it does not cover, and outlines what an ABT-managed deployment would do about them. No commitment, no quote, no obligation.
Case Study: Mason-McDuffie Mortgage
Mason-McDuffie Mortgage (MasonMac), a retail mortgage banking firm operating across roughly 40 states with about 350 employees, came to Access Business Technologies with a Secure Score of 32%.
Their environment told a familiar story. Mixed security software across laptops and desktops. Partial cloud migration. No unified strategy for the Microsoft 365 tools they were already paying for. Their IT team was overwhelmed by manual checks and complex scripts that still missed critical gaps like incomplete MFA registrations and unmanaged devices.
The ABT team implemented Guardian in two phases:
Phase 1: Hardening
- Conditional Access policies enforcing MFA on every login
- Microsoft Intune device compliance covering all endpoints
- Microsoft Defender for Office 365 protecting against phishing and email-borne threats
- Microsoft Purview Information Protection securing borrower data flows
Phase 2: Monitoring and Insights
- Nightly automated security assessments replacing manual spot checks
- Continuous threat detection through managed extended detection and response (MxDR)
- AI-driven analytics identifying emerging risks before they become incidents
- Regular security posture reporting for leadership and compliance
MasonMac's Secure Score climbed from 32% to nearly 93%. But the real outcome was that their IT team stopped spending days on manual security reviews. They got automated daily reports that told them exactly what needed attention, prioritized by risk.
Key Takeaway
Microsoft Secure Score is the baseline. The Microsoft Defender stack and Microsoft Sentinel are the engines that actively close the gaps the score does not measure. M365 Guardian is ABT's operating model for running that surface inside a regulated mortgage environment. Guardian Security Insights is the continuous-improvement layer that turns the signals into a trend line, an executive report, and a regulator-ready compliance attestation. For mortgage companies operating across multiple branches and state regulators, that framework is the cleanest available route from a Microsoft 365 license to a defensible security posture.
Frequently Asked Questions
Microsoft Secure Score measures whether recommended security actions are enabled but does not verify that they are enforced across every account and device. It does not detect stale accounts, device compliance enforcement gaps, behavioral anomalies like impossible-travel sign-ins, or risky third-party OAuth application consent grants. For mortgage companies handling sensitive borrower data, these gaps represent real attack surfaces that the score alone cannot reveal.
Insurers increasingly look past the headline score during underwriting. They want evidence of active endpoint detection and response telemetry, proof that MFA is enforced rather than just enabled, documentation of incident response plan testing, and historical trend data showing sustained security improvements over time. A high Secure Score paired with stale admin accounts, unmanaged devices, or untested backup procedures still represents underwriting risk that the score alone does not capture.
Mason-McDuffie Mortgage started with a Microsoft Secure Score of 32% and reached nearly 93% after implementing Guardian through Access Business Technologies. The improvement came from a two-phase approach: first hardening the Microsoft 365 environment with Conditional Access, Microsoft Intune device compliance, and Microsoft Defender for Office 365, then layering continuous monitoring through Guardian Security Insights with nightly automated assessments and managed extended detection and response.
The FFIEC retired its Cybersecurity Assessment Tool (CAT) on August 31, 2025, after 10 years of use. While the fundamental security controls in the CAT remained sound, the manual self-assessment approach could not keep pace with rapidly evolving cyber threats. The replacement guidance from federal banking regulators directs financial institutions toward continuous automated monitoring frameworks that provide real-time security posture visibility rather than periodic point-in-time assessments.
Guardian Security Insights uses Secure Score as one input among several. It adds nightly automated tenant assessments that check actual enforcement of security controls, not just whether they are enabled. Guardian tracks device compliance reality, stale account status, sign-in anomalies, and MFA registration gaps. It provides trend tracking over time and maps security data to specific regulatory requirements including GLBA, FTC Safeguards Rule, and FFIEC frameworks that Secure Score does not address.
M365 Guardian is the productized operating model Access Business Technologies uses to run the Microsoft Defender, Microsoft Purview, Microsoft Entra ID, Microsoft Intune, and Microsoft Sentinel surface inside a regulated mortgage environment. Microsoft owns and operates those products. ABT manages the Microsoft 365 tenants where those products are configured, tunes the controls to the attack patterns mortgage companies actually face, and runs the 24/7 security operations center that watches the Defender and Sentinel signals every minute of the day. Guardian is the operating layer that turns the Microsoft tools into a managed security program, and Guardian Security Insights is the continuous-improvement reporting layer that produces the trend line, the executive report, and the regulator-ready evidence.
