In This Article
Your IT team spent 14 hours last week chasing MFA gaps, reviewing stale accounts, and pulling compliance reports by hand. That is 14 hours burned on tasks that a properly configured Microsoft 365 tenant handles automatically. The IBM 2025 Cost of a Data Breach Report measured the financial-services average per breach at $5.56 million. Most of those breaches started with the exact gaps your team spent those 14 hours trying to close.
The problem is not a lack of effort. It is a lack of automation. Mortgage lenders, credit unions, and banks run security workflows built on manual processes, disconnected tools, and tribal knowledge. When someone leaves, the process leaves with them.
Guardian Security Insights changes the operating rhythm. As the intelligence layer of ABT's Guardian operating model, it sits on top of your Microsoft 365 tenant, configures Microsoft Entra ID, Microsoft Defender, Microsoft Intune, and Microsoft Purview to enforce a hardened baseline, and surfaces the prioritized work your team needs to do each morning. Not more alerts. Fewer alerts, better prioritized, with clear next steps attached.
Why Manual Security Workflows Fail at Scale
A five-person IT shop at a mid-size mortgage lender handles licensing, device management, compliance reporting, user provisioning, and security monitoring. Those are five full-time jobs compressed into five people who also answer help desk tickets. Manual workflows break in predictable ways:
- Alert fatigue kills response time. Microsoft Defender generates thousands of events per week. Without automated triage, high-priority items get buried under low-severity noise.
- Stale accounts persist for months. When a loan officer leaves, their account stays active because nobody owns the offboarding checklist. Each stale account is an open door for credential stuffing.
- MFA gaps hide in plain sight. A user registers for MFA but never completes enrollment. The Microsoft Entra ID admin portal shows them as "registered" while they remain unprotected. ABT's pre-onboarding assessments find this gap is the single largest contributor to account compromises in tenants that arrive without managed governance.
- Compliance evidence takes days to compile. When an examiner asks for proof of Conditional Access enforcement, someone spends a full day exporting logs, formatting spreadsheets, and writing explanations.
Each of these problems compounds. A stale account with no MFA that triggers a Microsoft Defender alert nobody sees is not a theoretical risk. It is the exact sequence that leads to an incident, a CFPB inquiry, and a borrower-notification budget your CFO never approved. The same set of weaknesses also drives the IBM finding above: it takes 241 days on average to identify and contain a breach, and the longer the dwell time, the larger the eventual cost. Automation closes that window.
What Most Mortgage IT Teams Carry Quietly
In 19+ years of running Microsoft tenants for mortgage lenders, banks, and credit unions, ABT sees the same operational debt at almost every onboarding: legacy authentication still enabled on Exchange Online, Conditional Access policies riddled with break-glass exclusions that were supposed to be temporary, and a Microsoft Secure Score sitting between 35% and 55%, which Microsoft itself flags as roughly average for the institution's size and industry. That is grading on a curve. Your examiner does not grade on a curve; the examiner grades on the regulation.
How Guardian Security Insights Automates the Security Workflow
Guardian Security Insights is not a dashboard you log into once a quarter. It is a continuous operating model (methodology, policy set, and prioritized findings) that runs on top of Microsoft 365 every night. ABT's security operations team reviews the output every morning and turns it into a short, ranked list of actions for your IT team. The detection happens in Microsoft tools. The prioritization, FI-specific scoping, and drift monitoring are the Guardian operating model at work.
Nightly Risk Surfacing
Every night, the Microsoft platform produces signals: Microsoft Entra ID logs sign-ins and risky sessions, Microsoft Defender flags suspicious mail and endpoint activity, Microsoft Intune reports device compliance, and Microsoft Purview audit logs every administrative and data-access event. As part of the Guardian operating model, ABT pulls those signals into a single overnight review and produces a prioritized findings report that lists:
- Users who registered for MFA but never completed enrollment
- Accounts inactive for 30, 60, or 90 days (configurable per institution)
- Devices accessing your tenant that are not enrolled in Microsoft Intune
- Conditional Access policies with too many exclusions or weakened scope
- External sharing configurations that expose sensitive borrower data
- Microsoft Purview DLP policy violations and patterns
These reports do not generate alerts in the traditional sense. They generate ranked findings. Each finding includes the affected user or device, the specific risk, and the recommended remediation step. Your team opens a report, not a firehose.
Secure Score Tracking with Context
Microsoft Secure Score gives you a number between 0% and 100% across four categories: Identity, Data, Devices, and Apps. Microsoft itself benchmarks that number against tenants of similar size and industry. That is grading on a curve. If every other 200-employee mortgage lender is also failing to finish their MFA rollout, Microsoft still tells you that your 47% is roughly average for your peer group. The board hears "average for our size" and relaxes. Your auditor sees "53% of recommended controls unimplemented" and writes it up.
Most mortgage lenders ABT onboards score between 35% and 55% on Secure Score. The Guardian operating model targets 90% or higher across all four categories, measured against the regulation, not against the curve. ABT breaks the gap into a sequenced work plan ranked by risk reduction, not by Secure Score points. Block legacy authentication first. Microsoft's own data has long shown that more than 99% of password-spray attacks target legacy auth protocols. Then enforce MFA registration completion via Conditional Access. Then close the device-compliance gaps in Microsoft Intune.
Each action shows the expected risk reduction (and Secure Score lift) before you implement it. No guessing. No wasted effort on low-impact changes while high-risk gaps stay open.
Microsoft's 2024 Digital Defense Report documents that more than 600 million identity attacks land against Microsoft cloud customers every day, and that 99% of password-spray and credential-stuffing attempts target accounts protected only by legacy authentication. As a Tier-1 Microsoft Cloud Solution Provider for more than 750 financial institutions, ABT sees the same pattern in pre-onboarding assessments: tenants that have not blocked legacy auth, completed MFA enrollment, or removed temporary Conditional Access exclusions sit well below the 80% Secure Score threshold examiners increasingly expect, even when the institution itself believes it is in good shape.
Compliance Evidence on Demand
The FFIEC retired its Cybersecurity Assessment Tool in August 2025 and directed financial institutions to the NIST Cybersecurity Framework 2.0. The NCUA released an updated Automated Cybersecurity Evaluation Tool (ACET) aligned with the same framework. For mortgage lenders, the FTC Safeguards Rule and GLBA remain the floor. Many institutions also run alongside CRI Profile, NYDFS 23 NYCRR 500, and state-level mortgage-licensing standards.
The Guardian operating model produces compliance evidence as a byproduct of the same nightly reports your team uses for prioritization. When your auditor or examiner asks for proof that:
- MFA is enforced across all user accounts
- Conditional Access blocks legacy authentication
- Devices meet minimum compliance standards via Microsoft Intune
- Microsoft Purview DLP policies are active and monitored
- Inactive accounts are identified and disabled within policy timeframes
- Microsoft Purview audit logs retain administrative and data-access events for the regulation-required window
You do not build the evidence package from scratch. The data already exists in the same Microsoft Purview audit logs, Microsoft Entra ID sign-in logs, and Microsoft Intune compliance reports the operating model surfaced overnight. Pull the report, hand it to the examiner.
Curious where your tenant sits against Guardian's 90%+ baseline today? Get a free Microsoft 365 security grade. A 10-minute scan covering Identity, Data, Devices, and Apps, returned without a sales conversation.
The Four-Stage Guardian Lifecycle
Guardian operates on a continuous loop: Harden, Monitor, Insight, Respond. Guardian Security Insights is the intelligence engine that powers the Insight and Monitor stages. The Harden stage is preventive (Guardian Protect: Conditional Access policies, DMARC enforcement, Tokenator session-revocation). The Respond stage is detection-and-fix (Guardian MxDR: managed extended detection and response). This is not a one-time project. It is the operating rhythm for your tenant security.
Harden
ABT configures your Microsoft 365 tenant to a hardened baseline. Conditional Access policies enforce MFA via Microsoft Entra ID. Microsoft Intune manages device enrollment. Legacy authentication gets blocked. Microsoft Purview DLP policies protect sensitive borrower data. SPF, DKIM, and DMARC prevent email spoofing through Microsoft Defender for Office 365.
This is not a settings dump. Each policy is configured for your institution's specific needs. A mortgage lender with 200 loan officers needs different device-compliance rules than a credit union with 50 tellers, and a community bank with 30 branches needs different network-trust rules than either.
Monitor
ABT monitors your tenant continuously for drift. Policies get modified. New users bypass enrollment. Devices fall out of compliance. Monitoring catches these changes before they become incidents. ABT's team reviews monitoring data daily. Your team sees a filtered view of what requires their attention. The 500 events that resolved themselves overnight do not appear in your queue.
Insight
Raw monitoring data becomes prioritized intelligence. Guardian Security Insights surfaces sign-in anomalies from Microsoft Entra ID Protection, MFA coverage gaps, external sharing exposure visible in Microsoft Purview, and license utilization patterns that suggest unused capability. Guardian Productivity Insights, an optional paid add-on, shows which Microsoft 365 licenses your institution is actually using versus paying for. A separate cost-optimization lens.
Cyber insurance carriers now factor Microsoft Secure Score and MFA coverage into underwriting decisions. Demonstrating a high score in Identity and Data categories can lower your premiums or unlock policy terms that were previously off the table. Guardian Security Insights gives you the data to prove your posture during renewal conversations rather than reconstructing it under a deadline.
Respond
When a finding requires action, the Guardian operating model provides the specific remediation step. Not a generic recommendation to "improve your security posture." A specific instruction: disable this account, enroll this device, modify this policy exclusion. For incidents that require ABT's direct involvement, response runs through Guardian MxDR. ABT's managed extended detection and response service. Because ABT is already your managed Microsoft Cloud Solution Provider, there is no vendor onboarding delay when a real threat appears. The session-revocation step (Tokenator) calling Microsoft Graph is ABT's own automation; everything else is Microsoft tooling configured by the Guardian methodology.
What Changes in the First 90 Days
Mortgage lenders, credit unions, and banks who adopt Guardian Security Insights see measurable changes fast. The typical timeline:
Week 1-2: Baseline assessment. The Guardian operating model scans the tenant via Microsoft Entra ID, Microsoft Intune, Microsoft Defender, and Microsoft Purview, and produces a full risk inventory. Most institutions discover 15-30 findings they did not know existed. Stale accounts from employees who left years ago. Devices running Windows versions that are no longer supported. MFA registrations that were never completed.
Week 3-4: Hardening sprint. ABT configures Conditional Access in Microsoft Entra ID, enables Microsoft Intune enrollment, blocks legacy authentication, and deploys Microsoft Purview DLP policies. Microsoft Secure Score typically lifts 20-30 percentage points during this phase as the highest-impact gaps close.
Month 2: Monitoring and tuning. The operating model enters continuous monitoring. The initial spike of findings decreases as the hardened baseline takes hold. Your team begins working from the prioritized daily report instead of reactive alerts.
Month 3: Steady state. The daily report shrinks to a handful of items. Microsoft Secure Score stabilizes above 80% and trends toward 90%. That level puts the institution above peer percentile and, more importantly, in line with what examiners increasingly expect to see. Compliance evidence is available on demand. Your IT team spends time on strategic projects instead of manual security hygiene.
Key Takeaway
The first 90 days of Guardian Security Insights typically reclaim 14-20 hours per week of mortgage IT capacity, lift Microsoft Secure Score from a 35-55% baseline to 80%+ across Identity, Data, Devices, and Apps, and produce examiner-ready evidence as a byproduct of normal operation, without adding a third-party MSP platform to the attack surface.
The Cost of Doing Nothing
Verizon's 2025 Data Breach Investigations Report found that third-party involvement in breaches doubled to 30% year over year. The IBM 2025 Cost of a Data Breach Report measured the average mean time to identify and contain a breach at 241 days (158 to identify, 83 to contain), and quantified shadow AI tooling adding $670,000 to the total breach cost when present in the environment.
For a mortgage lender holding borrower Social Security numbers, bank account data, and employment records, a breach is not just a fine. It is a CFPB investigation. It is a state regulatory action under the FTC Safeguards Rule. It is borrower notification letters and credit-monitoring costs. It is reputational damage that takes years to recover from, and a counterparty review from Fannie Mae, Freddie Mac, or Ginnie Mae that can put the warehouse line at risk.
The mortgage industry cannot afford the manual approach anymore.
Examiners are watching. Insurance carriers are scoring. Borrowers are asking questions. The institutions that will weather the next examination cycle are the ones that turned security into an operating rhythm, not a quarterly fire drill.
Why ABT Runs This Differently
ABT is a cloud-first managed service provider and Tier-1 Microsoft Cloud Solution Provider. That combination matters for security workflows because ABT has direct access to Microsoft engineering and premier support channels, and because ABT runs a pure Microsoft stack rather than layering on third-party MSP tooling.
ABT's entire stack is Microsoft-native: Microsoft Entra ID, Microsoft Intune, Microsoft Defender, Microsoft Purview, Microsoft Sentinel, and Microsoft Conditional Access. No ConnectWise. No Kaseya. No SolarWinds. When third-party MSP platforms suffer the kind of breaches that have hit the industry (ConnectWise ScreenConnect in February 2024, Kaseya VSA in July 2021, SolarWinds Orion in late 2020), ABT clients have zero exposure because those products are not in the supply chain.
ABT serves more than 750 financial institutions. That scale means the Guardian team has seen every configuration mistake, every compliance gap, and every audit question your institution will face. Your problems are not unique. The solutions are proven, repeatable, and already running in tenants that look like yours.
Technical Reference
- Guardian Security Insights
- The intelligence layer of ABT's Guardian operating model. Surfaces nightly findings produced by Microsoft Entra ID, Microsoft Intune, Microsoft Defender, and Microsoft Purview into a prioritized morning report. Part of the Guardian suite alongside Guardian Protect, Guardian MxDR, and the optional Guardian Productivity Insights add-on.
- Microsoft Entra ID Conditional Access
- Microsoft's policy engine for enforcing access decisions based on user, device, location, and sign-in risk. The primary control that blocks legacy authentication and completes MFA enforcement, both required by GLBA and the FTC Safeguards Rule.
- Microsoft Secure Score
- Numerical representation of an organization's Microsoft 365 security posture across Identity, Data, Devices, and Apps categories, scored 0-100%. Microsoft benchmarks the score against similar-size tenants in the same industry, so a score of "average" can still mean dozens of recommended controls remain unimplemented. Guardian targets 90%+ for all managed tenants.
- NIST Cybersecurity Framework 2.0
- The federal framework for managing cybersecurity risk, now the primary reference for examiners after FFIEC retired its Cybersecurity Assessment Tool in August 2025. Defines six functions: Govern, Identify, Protect, Detect, Respond, Recover.
- Legacy Authentication
- Older authentication protocols (IMAP, SMTP, POP3, MAPI, EWS Basic Auth) that do not support MFA. Microsoft has long reported that more than 99% of password-spray attacks against Microsoft 365 target legacy auth. Blocking it via Conditional Access in Microsoft Entra ID is the single highest-impact Secure Score action.
- Guardian MxDR
- Managed extended detection and response. The response arm of the Guardian operating model, distinct from Guardian Protect (preventive controls) and Guardian Security Insights (the intelligence layer). Picks up incidents that escape preventive controls and drives them to closure.
Stop Burning Hours on Manual Security
Your IT team has better things to do than export spreadsheets and chase MFA enrollment reminders. Mastering compliance for mortgage IT teams is the same operating-model question, just framed for the auditor instead of the examiner. Either path starts with knowing where your tenant stands today.
Frequently Asked Questions
Guardian Security Insights is the intelligence layer of ABT's Guardian operating model. It surfaces nightly findings produced by Microsoft Entra ID, Microsoft Intune, Microsoft Defender, and Microsoft Purview into a prioritized morning report covering MFA gaps, stale accounts, unmanaged devices, and policy drift. Each finding includes the affected resource and a specific remediation step rather than raw alert data.
ABT targets 90% or higher across all four Microsoft Secure Score categories: Identity, Data, Devices, and Apps. Most mortgage lenders, credit unions, and banks start between 35% and 55% when onboarding. Microsoft itself benchmarks the score against similar-size tenants in the same industry (grading on a curve), so an "average" score can still leave dozens of controls unimplemented. Guardian's operating model breaks the gap into prioritized actions ranked by risk reduction, beginning with blocking legacy authentication and completing MFA enrollment via Microsoft Entra ID Conditional Access.
The FFIEC retired its Cybersecurity Assessment Tool in August 2025 and directed institutions to NIST Cybersecurity Framework 2.0. The NCUA released an updated Automated Cybersecurity Evaluation Tool (ACET) aligned with the same framework. Guardian Security Insights produces compliance evidence mapped to NIST CSF 2.0 functions (Govern, Identify, Protect, Detect, Respond, Recover) as a byproduct of its nightly monitoring through Microsoft Entra ID, Microsoft Intune, Microsoft Defender, and Microsoft Purview.
No. ABT runs a pure Microsoft technology stack plus its own Guardian operating-model tooling. ABT does not use ConnectWise, Kaseya, SolarWinds, or any third-party MSP platform. When those platforms suffer breaches (ConnectWise ScreenConnect in February 2024, Kaseya VSA in July 2021, SolarWinds Orion in late 2020), ABT clients have zero exposure because those products are not in the supply chain. The entire security stack is Microsoft-native: Microsoft Entra ID, Microsoft Intune, Microsoft Defender, Microsoft Purview, and Microsoft Sentinel.
Guardian Security Insights is the intelligence layer of the Guardian operating model and focuses on threat surfacing, sign-in anomalies, MFA coverage gaps, external sharing exposure, and compliance evidence drawn from Microsoft Entra ID, Microsoft Intune, Microsoft Defender, and Microsoft Purview. It is included with Guardian managed services. Guardian Productivity Insights is an optional paid add-on that tracks Microsoft 365 license utilization, adoption metrics, and collaboration patterns to identify cost-optimization opportunities. A separate observational lens, not a security control.
