Life Isn’t Graded on a Curve—Your Cybersecurity Score Shouldn’t Be Either

When it comes to cybersecurity, many organizations settle for “good enough.” They check their Microsoft Secure Score, see a passing grade like 70%, and breathe a sigh of relief. But here’s the hard truth: life isn’t graded on a curve, and neither is your security.

A Secure Score of 70% might outperform industry averages, but attackers don’t care about benchmarks. They target vulnerabilities, whether your score is 70% or 90%. Let’s explore why settling for mediocrity is dangerous, how to uncover the hidden risks that Secure Score misses, and what it takes to build a robust cybersecurity process.

Why a 'D' in Cybersecurity Is Dangerous

Microsoft Secure Score provides a numerical representation of your implemented security measures. While helpful as a baseline, it has a significant limitation: it grades on a curve. A score of 65% or 70% might feel acceptable, but in cybersecurity, a "D" isn’t just inadequate—it’s dangerous.

Here’s why:

• Attackers Don’t Care About Benchmarks. Hackers exploit any vulnerability, no matter how small, and won’t stop until they find one.
• False Sense of Security. A passing score can lull organizations into complacency, leaving critical gaps unaddressed.
• Unique Industry Risks. Mortgage companies face specific challenges, such as regulatory compliance and protecting sensitive customer data, that Secure Score doesn’t fully account for.

Let’s break this down with a story:

One mortgage company we worked with had a Secure Score of 70%. Confident in their security, they felt no need to dig deeper. But when we audited their environment, we found over 40 stale accounts, some with admin privileges. These accounts, left active for over a year, posed a massive risk. Had an attacker found one, it could’ve been a direct entry point to critical systems.

This is why Secure Score alone isn’t enough. You need a process that uncovers hidden risks.

Exposing Hidden Risks: More Than a Score

Microsoft Secure Score highlights some vulnerabilities, but many significant risks remain hidden. Here are just a few examples of the many checks that require regular review:

1. Stale Account Risks

Inactive accounts are a prime target for attackers. Imagine this scenario:

A company has 40 stale accounts, many belonging to former contractors and employees. Several accounts still have admin-level access, granting full permissions to sensitive systems. These accounts haven’t been touched in over a year, but they remain active.

An attacker discovering one of these accounts is like handing them the keys to your organization.

Action Tip:

• Regularly audit user accounts.
• Immediately deactivate any accounts that have been inactive for 90 days or more.

2. Unmanaged Device Risks

Personal devices, such as laptops or smartphones, connecting to your network without proper controls are major vulnerabilities.

In one case, 15 unmanaged devices were actively accessing a company’s network. These devices:

• Lacked critical security updates.
• Operated without endpoint monitoring.
• Contained outdated antivirus software, leaving them vulnerable to malware.

One device, used by a remote employee, hadn’t been updated in months and became a perfect entry point for an attacker.

Action Tip:

• Enforce a bring-your-own-device (BYOD) policy that requires all devices to meet security standards before connecting.
• Regularly review and update endpoint security software.

3. MFA Compliance Risks

Multi-Factor Authentication (MFA) is a cornerstone of modern security, but implementation often falls short.

For example, we’ve seen companies where over 20 users started the MFA setup process but never completed it. Despite having MFA technically “enabled,” these incomplete setups left accounts exposed. A phishing attack on just one of these users could bypass MFA entirely.

Action Tip:

• Track MFA compliance regularly.
• Use tools to monitor users who haven’t completed their MFA registration and follow up until it’s fully configured.

How to Build a Process to Achieve an 'A' in Cybersecurity

So, if Secure Score isn’t enough, what does it take to truly secure your organization? You need two key things:

1. A Secure Score of 90% or better.
2. A process to uncover and address hidden risks.

Here’s a step-by-step guide:

Step 1: Centralize Your Data

Your security data is likely scattered:

• MFA compliance logs might live in Azure AD.
• Device health reports could reside in your endpoint management system.
• User activity logs might only exist in audit trails.

Bring this data together into a centralized repository or dashboard to get a complete view of your security posture.

Action Tip:

• Leverage tools like Power BI or create custom dashboards to consolidate data across multiple systems.

Step 2: Write Custom Scripts

Scripts are essential for identifying risks. For example:

• A script to flag inactive accounts.
• Another to highlight users with incomplete MFA setups.
• A script to detect unmanaged devices connecting to your network.

Action Tip:

• Schedule these scripts to run automatically and review their outputs regularly.
• Assign ownership of script maintenance to your IT team.

Step 3: Build Actionable Dashboards

Dashboards make data actionable. Focus on highlighting the most critical risks, such as:

• Stale accounts with admin permissions.
• Devices that haven’t reported activity in weeks.
• Users missing critical MFA steps.

Action Tip:

• Use visual indicators like red flags or percentages to prioritize actions quickly.

Step 4: Establish Accountability

Even with the best data, improvements won’t happen without accountability. Assign specific team members to:

• Review risks regularly.
• Prioritize remediation efforts.
• Track progress over time.

Action Tip:

• Hold bi-weekly security review meetings to ensure nothing falls through the cracks.

The Challenge of Manual Processes

Even with dedicated resources, maintaining this process manually is overwhelming. One organization we worked with tried this approach and found it unsustainable. Despite weeks spent building scripts and dashboards, they couldn’t keep up as new threats emerged.

Introducing Guardian Security Insights

If the manual process sounds overwhelming, it’s because it is. That’s where Guardian Security Insights comes in. This solution automates the heavy lifting, ensuring you can focus on strategic improvements rather than repetitive tasks.

Features of Guardian Security Insights:

1. Dynamic Risk Reports: Automatically identify stale accounts, unmanaged devices, and incomplete MFA setups.
2. Actionable Recommendations: Prioritized steps tailored to your organization.
3. Visual Dashboards: Real-time progress tracking.
4. Industry-Specific Tools: Compliance tracking and device health monitoring for mortgage companies.

One client started with a Secure Score of 58% and struggled to keep up with manual processes. After implementing Guardian Security Insights, they hit 92% within six months, drastically reducing their exposure to cyber threats.

Final Thoughts and Next Steps

Cybersecurity isn’t about passing grades—it’s about creating a process that exposes and addresses risks effectively. Whether you choose to build your own system or leverage tools like Guardian Security Insights, the key is to take action.

For a deeper dive into this topic, check out the related Guardian Security Insights podcast or visit the Guardian Security Insights webpage for more details.

Remember, achieving an "A" in cybersecurity isn’t just about hitting a high score—it’s about uncovering and addressing the risks that matter most.