In This Article
- What Microsoft Secure Score Actually Measures
- Why Financial Services Executives Should Track Secure Score
- Where Most Organizations Fall Short
- A Practical Roadmap to Improve Your Secure Score
- How Guardian Security Insights Wraps Around Your Secure Score
- Secure Score in the Context of Regulatory Frameworks
- Measuring Progress: What Good Looks Like
- Frequently Asked Questions
Financial services executives face a growing paradox. IBM's 2025 Cost of a Data Breach Report puts the average financial services breach at $5.56 million, second only to healthcare. Yet most mortgage companies, credit unions, and banks still lack a clear way to measure whether their defenses are keeping pace with the threats consuming those budgets.
Microsoft Secure Score gives you that measurement. It assigns a percentage grade to your Microsoft 365 tenant based on security configurations, policies, and protections you have in place. Organizations scoring above 80% experience 67% fewer security incidents according to Microsoft. Guardian Security Insights pushes financial institutions beyond that threshold to 90%+, where compliance evidence, insurance leverage, and operational resilience all compound. The question is not whether Secure Score matters. The question is what you do once you know the number.
Here is the gap most financial institutions are sitting on right now, and it is wider than most executives realize.
| Security Posture Metric | Industry Average | Recommended Baseline | Guardian Standard |
|---|---|---|---|
| Microsoft Secure Score | 30-50% | 75%+ | 90%+ |
| MFA Enforcement | Partial (admins only) | All users | All users + service accounts |
| Legacy Auth Protocols | Still enabled | Blocked | Blocked + monitored |
| DLP Policies Active | None or basic | Financial data covered | NPI + loan data + wire instructions |
| Device Compliance | Unmanaged | Enrolled + baseline | Intune + Defender for Endpoint |
What Microsoft Secure Score Actually Measures
Secure Score evaluates your Microsoft 365 environment across four categories: Identity, Devices, Apps, and Data. Each category contains dozens of individual controls. Enable multi-factor authentication for all admins? Points. Require device compliance through Intune? Points. Block legacy authentication protocols? More points.
The total score is a percentage of your maximum achievable score. That maximum varies by organization because it depends on which Microsoft licenses you own. A company running Business Premium has different available controls than one running E5.
What Secure Score Does Not Measure
Secure Score is specific to your Microsoft 365 tenant configuration. It does not evaluate third-party tools, employee awareness training, physical security, or custom applications outside the Microsoft ecosystem. Treat it as one vital signal in a broader security picture, not the whole picture.
Microsoft updated Secure Score in late 2025 with a risk-based scoring formula in Defender for Cloud that prioritizes individual findings by asset risk and criticality. New controls continue to be added quarterly, which means your score can drop even when you haven't changed anything. Staying above 90% requires continuous attention, not a one-time hardening sprint.
Why Financial Services Executives Should Track Secure Score
For regulated financial institutions, Secure Score connects directly to four business outcomes that matter at the executive level.
Regulatory Compliance
The FTC Safeguards Rule requires mortgage companies to maintain an information security program with administrative, technical, and physical safeguards. Under the 2024 amendment, non-banking financial institutions must report breaches affecting 500 or more customers to the FTC within 30 days. A strong Secure Score demonstrates that your Microsoft 365 tenant meets the technical safeguard requirements and creates documented evidence for auditors.
Banks face FFIEC IT Examination Handbook requirements. Credit unions answer to NCUA, which updated its Automated Cybersecurity Examination Tool (ACET) in 2025 to align with NIST Cybersecurity Framework 2.0. In each case, regulators want measurable security controls. Secure Score provides that measurement.
Breach Cost Reduction
IBM's 2025 Cost of a Data Breach Report found that financial firms carry a $5.56 million average breach cost, second only to healthcare at $7.42 million. When U.S.-specific costs are factored in, organizations absorb an average of $10.22 million per incident. Phishing alone accounts for 16% of breaches at $4.8 million each, while supply chain compromises average $4.91 million.
Many of those costs map directly to Secure Score controls. Stale admin accounts that were never disabled. Conditional Access policies that allow legacy authentication. MFA gaps that leave service accounts exposed. Fixing these pushes your score up and your risk exposure down.
Cyber Insurance Eligibility
Cyber insurance carriers now evaluate Microsoft Secure Score data during underwriting. Carriers want evidence of MFA enforcement, email security controls, and endpoint compliance. Higher scores with documented MFA and DLP controls can support lower premiums, while significant control gaps may trigger coverage exclusions or higher deductibles. Your Secure Score has become a financial document, not just a technical dashboard.
Board-Level Reporting
Board members ask one question about cybersecurity: "Are we protected?" Secure Score gives you a number to answer with. It tracks over time, showing whether security posture is improving or degrading. That trend line tells a story no narrative report can match.
Know where your Secure Score stands today
ABT's Security Grade Assessment maps your tenant controls to the benchmarks that regulators and insurers measure.
Where Most Organizations Fall Short
The average Microsoft 365 tenant scores between 30% and 50% out of the box. Default configurations leave critical protections disabled. Most financial institutions that have not gone through a deliberate hardening process sit in this range.
Three patterns explain the gap.
Default M365 Configuration
- Legacy authentication protocols enabled
- No Conditional Access policies
- External sharing unrestricted
- No DLP policies active
- Devices unmanaged by Intune
Guardian-Hardened Configuration
- Legacy auth blocked and monitored
- Risk-based Conditional Access enforced
- External sharing restricted to approved domains
- Financial data DLP active across email, Teams, SharePoint
- All devices enrolled with compliance baselines
Configuration Drift
IT teams enable security controls during initial deployment, then never revisit them. Microsoft releases new capabilities quarterly. Conditional Access policies that were strong in 2023 may be incomplete in 2026. Secure Score reflects this drift before attackers exploit it.
License Waste
Many organizations pay for Microsoft Business Premium or E5 but only use a fraction of the included security features. Intune device compliance, Defender for Office 365, and Purview Data Loss Prevention are included in the license cost. Not deploying them means paying for protection you never activate.
Siloed Responsibility
When no single person owns the Secure Score, nobody tracks it. IT handles devices. Compliance handles policies. Security handles incidents. The score spans all three domains. Without an owner, improvement stalls.
A Practical Roadmap to Improve Your Secure Score
Improving your score follows a predictable sequence. Start with the highest-impact actions that affect the most users, then work toward the long tail of specialized controls.
MFA, block legacy auth, disable stale accounts (Weeks 1-4)
Intune enrollment, Defender for Endpoint, compliance baselines (Weeks 5-8)
DLP policies, sensitivity labels, external sharing controls (Weeks 9-12)
Continuous score tracking, quarterly control reviews, drift alerts (Ongoing)
Phase 1: Identity Controls (Weeks 1-4)
Identity is where most organizations gain the most points fastest. Start here.
- Enforce MFA for all users including admins, service accounts, and break-glass accounts. This single control blocks 99.2% of account compromise attacks according to Microsoft. Starting in 2025, Microsoft began requiring MFA for all admin accounts across tenants.
- Block legacy authentication protocols that bypass MFA entirely. POP3, IMAP, and SMTP AUTH are the most common attack vectors for credential stuffing.
- Review and disable stale accounts. Any account inactive for 90+ days should be disabled or removed. Stale accounts are free entry points.
- Implement Conditional Access policies for location-based access, device compliance, and risk-based sign-in evaluation.
Phase 2: Device Compliance (Weeks 5-8)
Devices that access your Microsoft 365 data must meet baseline security standards.
- Enroll devices in Intune for compliance management. Define policies requiring encryption, OS updates, and security baselines.
- Deploy Defender for Endpoint on all company-managed devices. This extends Secure Score points and provides real-time threat detection.
- Create compliance policies that block access from non-compliant devices. A laptop missing three months of security patches should not access loan data.
Phase 3: Data Protection (Weeks 9-12)
Data protection controls address the regulatory requirements that financial institutions face daily.
- Configure Data Loss Prevention (DLP) policies in Microsoft Purview to prevent sensitive data from leaving your environment through email, Teams, or SharePoint.
- Enable sensitivity labels so employees can classify documents containing borrower information, financial records, or compliance materials.
- Review external sharing settings in SharePoint and OneDrive. Restrict sharing to approved domains.
Phase 4: App Protection and Monitoring (Ongoing)
The final category covers application-level controls and continuous monitoring.
- Enable Microsoft Defender for Office 365 with Safe Links and Safe Attachments to protect against phishing.
- Configure app consent policies to prevent users from granting permissions to malicious third-party applications.
- Set up automated alerts for score changes. A sudden drop signals a configuration change or policy removal that needs investigation.
How Guardian Security Insights Wraps Around Your Secure Score
Guardian Security Insights is ABT's security operating model for Microsoft 365 tenants. It is not a separate product you install. It is the continuous cycle of hardening, monitoring, insight delivery, and response that surrounds your tenant.
For Secure Score, Guardian Security Insights operates across four functions:
Hardening
Applies the high-impact security configurations that push your score upward. Conditional Access, Intune baselines, email authentication (SPF, DKIM, DMARC), and DLP rules. Targets 90%+ Secure Score within a 90-day sprint.
Monitoring
Tracks your score continuously. When Microsoft adds new controls, Guardian evaluates and implements them. When configuration drift occurs, it flags the change before your score drops.
Security Insights
Translates your Secure Score into executive-level reporting. Category breakdowns, trend lines over weeks and months, risk prioritization showing which actions deliver the most protection per hour invested.
Response
Handles the incidents that even a high Secure Score cannot prevent. Sign-in anomalies, suspicious email bypasses, remediation activation when automated defenses are not enough.
The gap between having a Secure Score and acting on it is exactly where most financial institutions lose ground. Guardian closes that gap by turning the number into a continuous operating standard.
Secure Score in the Context of Regulatory Frameworks
Each regulatory body that oversees financial institutions maps to specific Secure Score categories.
| Regulatory Framework | Applies To | Key Secure Score Categories | What Examiners Look For |
|---|---|---|---|
| FTC Safeguards Rule | Mortgage companies | Identity, Data | MFA, access controls, encryption, DLP, incident response plan |
| FFIEC IT Examination Handbook | Banks | Devices, Apps | Endpoint protection, application security, device management |
| NCUA ACET (NIST 2.0) | Credit unions | Identity, Data | Member data protection, access controls, 72-hour incident notification |
| GLBA Safeguards | All financial institutions | All four categories | Administrative, technical, and physical safeguards documented |
FTC Safeguards Rule (Mortgage Companies): Requires a designated Qualified Individual, risk assessments, access controls, encryption, MFA, and incident response. Secure Score controls for Identity and Data map directly to these requirements. The FTC issued updated compliance guidance in June 2025, reinforcing the technical control expectations.
FFIEC IT Examination Handbook (Banks): Covers information security, business continuity, and IT audit. Secure Score's Device and App categories address device management, endpoint protection, and application security requirements from the handbook.
NCUA Cybersecurity Requirements (Credit Unions): Focuses on member data protection, access controls, and incident response. The NCUA updated its ACET tool in 2025 to align with NIST Cybersecurity Framework 2.0 after the FFIEC CAT was retired. Secure Score's Identity controls (MFA, Conditional Access) and Data controls (DLP, sensitivity labels) map to NCUA expectations.
GLBA (All Financial Institutions): The Gramm-Leach-Bliley Act applies to everyone. Its Safeguards Rule provisions require administrative, technical, and physical safeguards. A strong Secure Score demonstrates the technical safeguard layer.
Measuring Progress: What Good Looks Like
Set clear benchmarks tied to your business reality.
Most financial institutions using default M365 configurations score between 30% and 50%. Guardian targets 90%+ as a continuous operating standard.
- Below 40%: Critical risk. Your tenant is running default configurations. Most security features are disabled. Prioritize immediate hardening.
- 40-60%: Below average. Core controls are partially deployed. Common gaps include inconsistent MFA, no device compliance policies, and missing DLP rules.
- 60-80%: Progressing. Foundational controls are in place. Focus shifts to advanced protections, monitoring, and closing the remaining gaps.
- 80-90%: Strong foundation. You have deployed the controls that matter most. Focus shifts to advanced protections and closing the final gaps.
- 90%+: Guardian standard. Continuous monitoring prevents drift. Regulatory conversations become evidence-based rather than defensive. Insurance carriers see the documentation they need.
Key Takeaway
The goal is sustained performance above 90%. Not a one-time achievement. A continuous operating standard that Guardian Security Insights maintains through ongoing monitoring and adjustment. Microsoft adds new controls quarterly and configuration drift can erode progress. A score that was 92% in January can slip to 84% by March without active management.
Frequently Asked Questions
A score above 90% indicates strong security posture for mortgage companies. Most tenants using default configurations score between 30% and 50%. Financial institutions should target 90% as a minimum and maintain it through continuous monitoring to satisfy FTC Safeguards Rule requirements and demonstrate technical controls to cyber insurance carriers during underwriting.
Cyber insurance carriers now evaluate Secure Score data during underwriting for financial institutions. A score above 80% with documented MFA enforcement and data loss prevention can lead to lower premiums. Scores below 60% may trigger coverage exclusions or higher deductibles. Carriers specifically look for MFA compliance, endpoint protection, and email security controls within the score breakdown.
Secure Score addresses the technical safeguard requirements of the FTC Safeguards Rule but does not cover administrative or physical safeguards. It demonstrates MFA enforcement, access controls, encryption, and data loss prevention configurations. Financial institutions need Secure Score plus documented policies, risk assessments, a designated Qualified Individual, and incident response plans to achieve full compliance.
Most financial institutions can reach 90% within 90 days through a structured hardening sprint. Identity controls like MFA and blocking legacy authentication provide the fastest gains in weeks one through four. Device compliance and data protection follow in weeks five through twelve. Maintaining the score requires continuous monitoring because Microsoft adds new controls quarterly and configuration drift can erode progress.
Guardian Security Insights is ABT's security operating model that wraps around your Microsoft 365 tenant. It uses Secure Score as one of several measurement tools within a continuous cycle of hardening, monitoring, insight delivery, and incident response. Guardian Security Insights applies the configurations that raise your score, monitors for drift that would lower it, and delivers executive reporting that translates the score into business risk language.
Your Secure Score Exists Right Now. Do You Know the Number?
ABT's Security Grade Assessment breaks down your current posture across Identity, Devices, Apps, and Data, identifies the highest-impact actions for your specific environment, and maps your controls to the regulatory frameworks that govern your institution.
