Life Isn’t Graded on a Curve—Your Cybersecurity Score Shouldn’t Be Either

Microsoft Secure Score tells you what percentage of recommended security actions your organization has taken. It's free. It's built into every Microsoft 365 tenant. And by itself, it gives you an incomplete picture of your actual security posture.

That matters more now than ever. Gartner predicts that by 2026, 50% of organizations will require real-time security scoring as a procurement criterion. Cyber insurance carriers already use Secure Score data during underwriting. And the Microsoft Security Intelligence Report found that organizations scoring above 80% experience 67% fewer security incidents.

The score is real. The risk of treating it as the whole story is also real.

The Secure Score Trap

A mortgage company checks their Secure Score and sees 70%. That looks passing. It sits above the industry average of 40% to 60% for mid-market companies. Leadership moves on to other priorities.

Here's the problem. Secure Score measures whether recommended actions are enabled. It doesn't measure whether they're working. Enabling MFA earns points. But if 15% of your accounts haven't completed registration, MFA has a gap that the score doesn't show.

Secure Score also weights actions differently. Turning on MFA earns significantly more points than adjusting a SharePoint sharing policy. So a company can have a high score while leaving entire categories of risk unaddressed.

For mortgage companies handling borrower Social Security numbers, bank statements, and tax returns, the gaps between "enabled" and "enforced" are where breaches happen.

What Secure Score Misses

Microsoft documents this openly. Secure Score covers five pillars: identity, devices, apps, data, and cloud infrastructure. What it doesn't cover tells you just as much.

Stale and Orphaned Accounts

An employee leaves. Their account gets disabled in HR's system but stays active in Entra ID because nobody ran the sync. That account doesn't show up as a Secure Score issue. But it's an open door for an attacker who finds the credentials.

Device Compliance Reality

Secure Score gives points for enabling Intune device compliance policies. It doesn't tell you that 200 devices failed compliance last week and nobody followed up. The policy exists. The enforcement gap doesn't register.

Behavioral Anomalies

A loan officer logs in from California at 8 AM and from Eastern Europe at 8:15 AM. That impossible-travel event doesn't affect Secure Score. It shows up in Defender logs, but only if someone is monitoring them.

Third-Party Application Risk

OAuth consent grants are one of the fastest-growing attack vectors. A user grants a third-party app access to their mailbox. Secure Score doesn't flag it. The app reads every email containing borrower documents until someone notices.

Why Secure Score Is Becoming a Business Requirement

Despite its limitations, Secure Score is becoming unavoidable. LevelBlue's March 2025 analysis showed that the score is shifting from internal benchmark to external requirement:

• Cyber insurance: Carriers now check Secure Score during underwriting. Higher scores mean lower premiums. Some carriers verify that your stated MFA coverage matches your actual Secure Score history during claims.
• Vendor procurement: Large institutions and GSEs increasingly require minimum Secure Scores from vendors. A low score can disqualify your company from contracts.
• M&A due diligence: Acquirers check Secure Score as part of technology risk assessment. A weak score can delay or derail a deal.
• Regulatory direction: The FFIEC retired its manual Cybersecurity Assessment Tool in August 2025. The replacement guidance points toward continuous, automated security measurement. Secure Score fits that direction.

The score matters. But optimizing it without understanding what it doesn't measure creates a false sense of security.

Going Beyond the Number

A meaningful security posture assessment for mortgage companies needs to answer questions Secure Score doesn't:

1. Are our security controls actually working? Not just enabled, but enforced across every account and device.
2. Where are the gaps between systems? Identity says one thing. Device management says another. Which one reflects reality?
3. Is our posture improving or drifting? A point-in-time score doesn't show trajectory. Monthly trends do.
4. Can we prove compliance? GLBA, FTC Safeguards Rule, and state regulators want evidence of continuous monitoring, not a screenshot of a dashboard.

These questions require combining Secure Score data with operational reality. Automated. Continuous. Reported in a format that leadership and regulators can both understand.

Case Study: Mason-McDuffie Mortgage

Mason-McDuffie Mortgage (MasonMac), a retail mortgage banking firm operating across roughly 40 states with about 350 employees, came to Access Business Technologies with a Secure Score of 32%.

Their environment told a familiar story. Mixed security software across laptops and desktops. Partial cloud migration. No unified strategy for the Microsoft 365 tools they were already paying for. Their IT team was overwhelmed by manual checks and complex scripts that still missed critical gaps like incomplete MFA registrations and unmanaged devices.

The ABT team implemented Guardian in two phases:

Phase 1: Hardening

• Conditional Access policies enforcing MFA on every login
• Intune device compliance covering all endpoints
• Defender for Office 365 protecting against phishing and email-borne threats
• Microsoft Information Protection securing borrower data flows

Phase 2: Monitoring and Insights

• Nightly automated security assessments replacing manual spot checks
• Continuous threat detection through managed extended detection and response (MxDR)
• AI-driven analytics identifying emerging risks before they become incidents
• Regular security posture reporting for leadership and compliance

MasonMac's Secure Score climbed from 32% to nearly 93%. But the real outcome was that their IT team stopped spending days on manual security reviews. They got automated daily reports that told them exactly what needed attention, prioritized by risk.

The Guardian Security Insights Approach

Guardian Security Insights is how ABT turns Microsoft 365 security from a collection of tools into a managed security program. Here's what sets it apart:

• Nightly automated pulls from your tenant. No scripts to maintain. No manual exports.
• Actionable dashboards that prioritize by risk, not by alphabetical order of Microsoft's recommendation list.
• Trend tracking that shows whether your posture improved or degraded this week, this month, this quarter.
• Compliance mapping that connects security controls to GLBA, FTC Safeguards Rule, FFIEC, NCUA, and state regulatory frameworks.
• Executive reports that non-technical leadership can understand without translation from IT.

Your Secure Score is one input to Guardian. Not the whole answer. Guardian combines it with device health, account hygiene, behavioral analytics, and compliance requirements to give you a complete picture that the score alone can't provide.

Talk to a mortgage IT specialist about what your Secure Score isn't telling you.

Frequently Asked Questions

Related Articles

• Guardian Security Insights: Redefining Cybersecurity Beyond Microsoft Secure Score
• Microsoft Secure Score for Financial Executives: Your Guide to Risk Reduction
• Securing Client Data: Why Mortgage Companies Need Microsoft 365's Advanced Security Features