ProSIX Reduces Cyber Risk: Tell Your Consulting Firms

Your professional services firms are trusted partners which often access or manage confidential and proprietary systems, business processes, intellectual property, and client data. How can you help them mature their security programs to reduce your third-party risk? Encourage your accounting, business, and technology consulting firms to join ProSIX, a non-profit, member driven threat information sharing community. ProSIX provides collective defense for member organizations, helps members identify emerging threats and attack methods, and provides a collaborative platform to develop effective preventative measures.

The need is there. Verizon’s 2020 Data Breach Investigations Report (DBIR) analyzed 326 data breaches from 7,463 incidents in the professional services sector. Additionally, the 2019 DBIR indicated that professional services executives were six times more likely to be compromised than the median. These firms also top the charts in the number of infected systems.   

In the professional services sector, companies like KPMG and other top 25 advisory firms have joined together to cooperatively minimize their cyber risk through ProSIX, the Professional Services Information Exchange. By collaboratively sharing threat information, attack, and vulnerability details, these organizations are raising their collective awareness and individual response times. The National Institute of Standards and Technology (NIST) 800-53 Control PM-16 describes threat information sharing like that done in ProSIX as “one of the best techniques to address [the sophistication of Advanced Persistent Threats].”

Threat information sharing within a secure community of vetted practitioners, leveraging common technology and controls, is also a source for actionable alerts on more common threat vectors from cyber criminals to system vulnerabilities. And in that vein, professional services have suffered setbacks:

· Recently a threat actor compromised a major consulting and accounting firm’s email server through an administrator’s account which provided access to confidential emails and plans of major clients.

· Two top ten consulting firms left sensitive files publicly exposed on Amazon S3 storage buckets in separate incidents. Exposures included thousands of passwords, API keys to sensitive systems, documents, and master keys to data from most of the Fortune 100.

In fact, the 2020 Verizon DBIR cites misconfiguration as a primary security error in the industry; professional services firms should have security at least on par with their most secure clients. By joining ProSIX, firms can access best practices and further protect the sensitive information they hold by preventing avoidable attacks and mitigating the impact of successful penetrations through the warning and guidance of fellow community members and ProSIX staff.

For their role, the ProSIX staff enrich shared information and distribute finished intelligence to the community. Their alerts and best practices are sourced from other sharing communities, government partners, private security vendors and the members’ own impressive contributions.

ProSIX was created by Global Resilience Federation (GRF), leveraging extensive experience establishing, growing, and managing information sharing networks. Incorporated into GRF’s cross-sector hub, ProSIX is also able to gain warning from nine other sharing communities with members from all over the world.

To better protect your data, encourage your accounting, business, and technology consulting firms to consider membership in ProSIX. Ask them to email info@prosix.org for details or visit www.prosix.org.