Microsoft Secure Score tells you how your M365 tenant stacks up against recommended controls. What it does not tell you is whether those recommendations are high enough. For mortgage companies, credit unions, and banks handling regulated financial data, "passing" isn't the standard. The standard is resilience against the threats that actually target your industry.
The average Microsoft 365 tenant scores between 30% and 50%. That means a score of 65% looks strong by comparison. But comparison to the average is a trap. Financial institutions that grade on Microsoft's curve are measuring themselves against organizations that haven't touched their security settings since initial deployment. That's not a benchmark. That's a participation trophy.
Secure Score operates like a classroom grading curve. Microsoft sets a maximum based on available controls. You earn points by enabling them. The resulting percentage tells you how far you've come toward your theoretical maximum.
The catch: many organizations score low. When the average sits at 40%, a score of 65% feels like an achievement. It earns a "B" in the comparison charts. But a 65% means 35% of recommended security controls remain disabled. In a financial institution handling borrower Social Security numbers, bank account details, and income verification documents, that 35% gap represents real attack surface.
Three specific problems emerge when financial institutions accept a curved grade.
A 65% score often means MFA is enforced for admins but not all users. Legacy authentication protocols remain active for "compatibility." Service accounts lack Conditional Access policies. These are exactly the gaps that attackers exploit. In IBM's 2025 Cost of a Data Breach Report, compromised credentials remained the top initial attack vector, with an average time to identify and contain of 292 days.
Partial Intune enrollment is common. Company laptops are managed, but personal devices accessing email and SharePoint are not. A curved grade treats partial enrollment as progress. An attacker treats an unmanaged device as an unlocked door to your tenant.
Data Loss Prevention policies are often the last controls organizations enable. They require planning, testing, and user communication. A curved score lets you skip them and still look good on paper. But DLP is where the FTC Safeguards Rule lives. Without it, sensitive borrower data leaves your environment through email attachments, Teams messages, and SharePoint sharing links without anyone knowing.
Microsoft's own research shows that organizations scoring above 80% experience 67% fewer security incidents. That statistic alone should define the minimum standard for any financial institution. But the number also carries regulatory and business implications.
The FTC Safeguards Rule now requires mortgage companies to maintain comprehensive security programs, designate a Qualified Individual, and report breaches affecting 500+ customers within 30 days. The FFIEC IT Examination Handbook pushes banks toward continuous monitoring and risk assessment. NCUA expects credit unions to demonstrate measurable security controls.
None of these regulators grade on a curve. They look for specific controls. The gap between 65% and 80% on your Secure Score often contains the exact controls regulators ask about: DLP policies, device compliance enforcement, application consent restrictions, and automated alerting.
Insurance underwriters in 2025 pull Secure Score data as part of the application process. They set specific thresholds for MFA, endpoint protection, and email security. A 65% score that "beats the average" may still fall below the carrier's minimum. Coverage exclusions, higher premiums, or outright denial follow.
Every financial services breach makes the news. Board members read those headlines. When they ask "Could that happen to us?", the answer depends on your actual controls, not your relative ranking. An 80%+ Secure Score means you've deployed the controls that prevent the most common attack patterns. A 65% means you haven't.
The journey from 65% to 80% isn't about obscure or low-value controls. It typically involves the protections that matter most for regulated data.
Guardian is ABT's security operating model for Microsoft 365 tenants. It rejects the curve and sets an absolute standard: 80%+ across all four Secure Score categories (Identity, Devices, Apps, Data), maintained continuously.
Guardian achieves this through four functions.
Guardian applies a 90-day hardening sprint that addresses every high-impact Secure Score control. But it doesn't stop at the Microsoft-recommended settings. Guardian adds ABT's own baseline configurations developed across 750+ financial institutions. These configurations address attack patterns specific to mortgage companies, credit unions, and banks that Microsoft's generic recommendations don't cover.
A Secure Score doesn't stay static. Microsoft adds new controls quarterly. IT teams make changes that inadvertently weaken policies. Employees request exceptions that create gaps. Guardian monitors the score continuously and flags degradation before it becomes an exposure.
Raw Secure Score data is technical. Guardian's Security Insights translates it into category breakdowns, trend reporting, and risk prioritization that executives and board members can act on. When a category drops below 80%, the reporting identifies the specific controls that changed and the business risk they represent.
When monitoring detects an anomaly or an incident bypasses preventive controls, Guardian's response process activates. This closes the gap between detecting a problem and resolving it, which IBM's research shows averages 241 days globally. Financial institutions can't afford that timeline.
ABT runs a pure Microsoft technology stack. No ConnectWise. No Kaseya. No SolarWinds. Every security control, monitoring tool, and management platform is Microsoft-native: Entra ID, Intune, Defender for Endpoint, Defender for Office 365, Conditional Access, Purview, and Sentinel.
This matters for Secure Score because third-party MSP platforms introduce their own attack surface. The ConnectWise ScreenConnect breach in February 2024. The Kaseya VSA attack in July 2021. The SolarWinds supply chain compromise in December 2020. Each one affected thousands of MSP clients. ABT clients had zero exposure to all three because the architecture doesn't include those platforms.
Your Secure Score measures your Microsoft 365 controls. If your MSP introduces non-Microsoft tools with their own vulnerabilities, your Secure Score can't warn you about that additional risk. A pure Microsoft stack means your score reflects your actual security posture without hidden dependencies.
Setting an 80% minimum isn't just a technical decision. It changes how your organization thinks about security.
Microsoft research shows organizations scoring above 80% experience 67% fewer security incidents. For financial institutions regulated by the FTC Safeguards Rule, FFIEC, and NCUA, the controls between 65% and 80% typically include DLP policies, full device compliance, and application consent restrictions. These are the specific protections regulators evaluate during examinations.
The average Microsoft 365 tenant scores between 30% and 50% because most organizations use default configurations. Measuring against this average makes a 65% score appear strong when it still leaves 35% of recommended controls disabled. For financial institutions handling regulated data, those disabled controls often include DLP, full MFA enforcement, and device compliance policies that regulators require.
The gap between 65% and 80% usually contains MFA for all users beyond administrators, full Intune device compliance enforcement, Data Loss Prevention policies for email and Teams, application consent restrictions, email authentication protocols like SPF and DKIM and DMARC, and risk-based Conditional Access policies. These are the controls that prevent the most common attack patterns targeting financial institutions.
Secure Score measures Microsoft 365 controls. When an MSP introduces third-party platforms like ConnectWise or Kaseya, those tools create additional attack surface that Secure Score cannot measure. A pure Microsoft stack means the score reflects actual security posture without hidden dependencies from platforms that have their own breach history including ConnectWise ScreenConnect in 2024 and Kaseya VSA in 2021.
Guardian uses a continuous four-phase cycle: hardening applies high-impact configurations during a 90-day sprint, monitoring tracks the score and flags drift as Microsoft adds new controls quarterly, Security Insights translates technical data into executive reporting with category breakdowns and trend analysis, and response handles incidents when preventive controls are bypassed. This cycle maintains the score above 80% as an ongoing operating standard.
Your financial institution handles data that attackers want and regulators protect. The standard for your security posture should reflect that reality, not the average configuration of every Microsoft 365 tenant on the planet.
ABT's Security Grade Assessment shows you where your Secure Score stands, what the gaps cost you in risk exposure, and how Guardian's operating model reaches and maintains the 80%+ standard that separates protected institutions from vulnerable ones.
Request your Security Grade Assessment and find out what higher standards look like for your organization.