Secure Score Action Plan for Financial Institutions: From 47% to 90%+

Your Microsoft Secure Score is 47%. You know the number. You do not know what to do about it. The Microsoft 365 admin portal shows a list of 60+ recommended actions sorted by point value. Some take five minutes. Some require weeks of planning and change management. The list does not tell you which ones actually reduce your risk versus which ones just raise the number.

This is the gap between having a score and having a plan. Financial institutions need both. IBM's 2025 Cost of a Data Breach Report found that institutions with proactive security programs detected breaches 45 days faster than those without. That speed comes from knowing what matters, acting on it first, and measuring the result.

ABT's Guardian operating model turns Secure Score into a prioritized action plan built for regulated financial institutions. Not a generic list of Microsoft recommendations. A sequenced plan where each action addresses real risk, produces compliance evidence, and moves the score toward the 90%+ target.

Why Secure Score Alone Does Not Drive Action

Microsoft Secure Score is a well-designed measurement tool with three limitations that prevent it from driving real security improvement in financial institutions.

Limitation 1: Point Value Does Not Equal Risk Reduction

Secure Score assigns point values to each recommended action. Some high-point actions have minimal security impact. Some low-point actions are critical. Blocking legacy authentication might be worth fewer points than configuring advanced audit logging, but it stops 99% of password spray attacks. The point system does not reflect your institution's actual threat model.

A mortgage lender holding borrower Social Security numbers and bank account data has a different risk profile than a consulting firm with the same number of Microsoft 365 users. Secure Score does not account for this difference.

Limitation 2: No Sequencing or Dependencies

Microsoft presents recommended actions as a flat list. In practice, some actions depend on others. You cannot enforce device compliance through Conditional Access until devices are enrolled in Intune. You cannot require compliant devices until you define what "compliant" means in your Intune policies. You cannot roll out MFA to all users simultaneously without a phased plan and user communication.

Secure Score does not tell you the order. It does not tell you which actions have prerequisites. A team that picks the highest-point action first may discover it requires three other changes they have not made.

Limitation 3: No Regulatory Context

Secure Score recommendations align with Microsoft's security best practices. They do not map to GLBA, FTC Safeguards Rule, FFIEC examination expectations, NCUA ACET domains, or state regulations like NYDFS 23 NYCRR 500. A financial institution IT director needs to know which Secure Score actions satisfy regulatory requirements and which are nice-to-have improvements above the compliance floor.

The Guardian Action Plan: From Score to Roadmap

Guardian takes the raw Secure Score data and transforms it into a structured action plan. Here is how that plan works.

Phase 1: Block the Biggest Threats First (Week 1-2)

The first actions target the highest-risk gaps regardless of point value. For most financial institutions, these are:

Block legacy authentication. IMAP, SMTP, POP3, and MAPI protocols do not support MFA. Microsoft reports that 99% of password spray attacks target these protocols. Blocking them through Conditional Access is a single policy change that removes the most common attack vector from your environment.

Most lenders ABT onboards have legacy auth enabled because "someone might need it." ABT has yet to find that someone. If a specific application requires legacy auth, Guardian creates a scoped exception with monitoring rather than leaving the entire tenant exposed.

Complete MFA enrollment for all users. Not registration. Completion. Guardian identifies every user who started MFA setup but never finished the second factor. Standard Microsoft reporting counts these users as MFA-enabled. They are not. Send them enrollment completion links with a 48-hour deadline.

Disable stale accounts. Accounts inactive for 90+ days with active licenses are security risks and budget waste. Guardian surfaces every stale account with the last login date, assigned roles, and license cost. Disable them. Reclaim the licenses.

Phase 2: Harden the Configuration (Week 3-6)

With the biggest threats blocked, the next phase builds the security configuration that prevents drift.

Deploy Conditional Access policies. Require MFA from untrusted locations. Block access from non-compliant devices. Restrict high-risk sign-ins. Each policy maps to specific GLBA and FTC Safeguards Rule access control requirements.

Enroll devices in Intune. Define compliance policies (OS version, encryption, screen lock). Enroll all devices that access your Microsoft 365 tenant. Block non-enrolled devices through Conditional Access. This gives your team visibility into every endpoint touching borrower data.

Configure DLP policies. Create policies that detect and protect Social Security numbers, bank account numbers, and other borrower data types in Exchange, SharePoint, OneDrive, and Teams. DLP is a GLBA requirement and an FTC Safeguards Rule expectation.

Set up email authentication. SPF, DKIM, and DMARC prevent attackers from sending email that appears to come from your domain. Phishing emails spoofing your loan officers' addresses cost borrowers money and cost your institution trust.

Phase 3: Build Monitoring and Reporting (Month 2-3)

With the hardened baseline in place, Guardian shifts to continuous monitoring that catches changes before they become problems.

Enable Secure Score trending. Guardian tracks your score across Identity, Data, Devices, and Apps with 30/60/90-day trend lines. A score that drops on Tuesday gets investigated on Wednesday, not discovered during the quarterly review.

Configure drift detection. Any modification to Conditional Access policies, Intune compliance rules, DLP configurations, or Entra ID settings triggers a logged event. Your team sees what changed, who changed it, and whether the change creates a compliance gap.

Build compliance reporting. Guardian maps your current control state to every applicable regulatory framework. One data set, multiple audiences: your internal team, your auditor, your examiner, your cyber insurance carrier.

Phase 4: Optimize and Maintain (Ongoing)

Once your score stabilizes above 80% and trends toward 90%, the work shifts from implementation to optimization.

Evaluate remaining Secure Score actions. Some recommendations in the 80-100% range involve trade-offs. Guardian identifies which remaining actions provide real security value versus which ones add complexity without meaningful risk reduction.

Address new Microsoft recommendations. Microsoft adds new Secure Score actions quarterly. Guardian evaluates each new recommendation against your risk profile and regulatory requirements before adding it to the action plan.

Prepare for regulatory changes. When NIST updates a control, when a state regulator issues new guidance, when your cyber insurance carrier changes their questionnaire, Guardian maps the new requirements against your existing controls and identifies gaps.

Measuring Progress: The Metrics That Matter

Secure Score is one metric. Guardian tracks the metrics that tell the full story.

• Secure Score by category: Identity, Data, Devices, Apps. Each tracked with 30/60/90-day trends. A score of 85% with all categories balanced is stronger than 85% with Identity at 95% and Devices at 60%.
• MFA completion rate: Percentage of users with fully enrolled (not just registered) MFA. Target: 100%. Guardian tracks the gap between registered and enrolled.
• Stale account count: Number of accounts inactive beyond your policy threshold. Target: zero outside documented exceptions like shared mailboxes and service accounts.
• Device compliance rate: Percentage of devices accessing your tenant that meet all Intune compliance policies. Target: 95%+.
• Policy drift events per month: Number of unauthorized configuration changes detected. Trend should approach zero as governance processes mature.
• Mean time to remediate: Hours from finding detection to resolution. Guardian clients with mature processes average under 48 hours for non-critical findings and under 4 hours for critical findings.
• Compliance gap count: Number of unresolved regulatory control gaps. Tracked against each applicable framework. Target: zero critical gaps, declining total gaps.

These metrics go into leadership dashboards and audit evidence packages. They tell two stories at once: your institution's security is improving, and you can prove it.

Real Results from Financial Institutions

The pattern is consistent across the 750+ financial institutions ABT serves:

Starting point: Most lenders begin with Secure Scores between 35% and 55%. Legacy authentication is enabled. MFA enrollment is incomplete. Stale accounts number in the dozens. Device compliance is either not configured or not enforced.

After 30 days: Secure Score jumps 20-30 points. Legacy auth is blocked. MFA is fully enrolled. Stale accounts are disabled. The highest-risk gaps are closed.

After 90 days: Score stabilizes above 80% with a clear path to 90%+. Continuous monitoring is operational. Compliance evidence is generated automatically. The daily report contains a handful of items instead of a wall of findings.

After 6 months: The security program operates on a maintenance rhythm. Your team works from prioritized daily reports. Auditors get evidence packages that answer their questions before they ask. Cyber insurance renewals include documentation that supports premium reduction conversations.

The ABT Approach: Pure Microsoft, Deep Financial Services

ABT is a cloud-first managed service provider and Tier-1 Microsoft Cloud Solution Provider. ABT runs a pure Microsoft technology stack. No ConnectWise. No Kaseya. No SolarWinds. Guardian is built on the same Microsoft tools your institution already licenses.

This architecture means Guardian reads directly from your tenant's native APIs. No third-party data warehouse. No translation layer. No sync delays. The findings are as current as the data in your Microsoft 365 environment.

ABT has managed Microsoft 365 tenants for financial institutions since 1999. Twenty-five years of configuration patterns, compliance requirements, and audit preparation across mortgage lenders, credit unions, banks, and regulated industries. Your institution's action plan is informed by that depth of experience.

Technical Reference

Microsoft Secure Score: A percentage-based security posture metric across Identity, Data, Devices, and Apps categories. Each recommended action has a point value. Total achieved points divided by total available points equals the score. Useful as a benchmark, insufficient as a standalone security strategy.

Conditional Access: Microsoft Entra ID policy engine that evaluates every access request against conditions including user identity, device compliance, network location, and real-time risk level. The enforcement layer for zero-trust architecture in Microsoft 365.

Legacy Authentication Protocols: IMAP, SMTP, POP3, and MAPI protocols that predate modern authentication and cannot enforce MFA. Used in 99% of password spray attacks according to Microsoft. Blocking through Conditional Access is the highest-impact single Secure Score action.

Microsoft Intune: Cloud-based endpoint management platform that enforces device compliance policies including OS version requirements, encryption status, and screen lock configuration. Integrates with Conditional Access to block non-compliant devices.

Data Loss Prevention (DLP): Microsoft Purview feature that identifies, classifies, and protects sensitive data across Exchange, SharePoint, OneDrive, Teams, and endpoints. Detects data types like Social Security numbers and financial account numbers.

Turn Your Score Into a Security Program

A number tells you where you stand. A plan tells you where to go. Guardian provides both: the measurement and the roadmap to get from 47% to 90%+ with every action sequenced, documented, and mapped to your regulatory requirements.

Talk to an ABT security specialist about building a Secure Score action plan for your institution.