Introduction
Amazon was started in Washington in 1994 before reconsolidating in Delaware in 1996. Amazon has strengthened its selling mechanism in its SEC Form 10K filing with the United States Securities and Exchange Commission (Amazon, n.d. a). The corporation is led by four ideologies: a customer-centric style instead of a competitor-focused approach, a craving for creativity, a commitment to operational distinction, and long-term performance. The firm serves its major client bases in each category, including consumers, merchants, developers, enterprises, and content providers. Additionally, the firm offers various services, including advertising and co-branded credit card agreements (Amazon, n.d.b). This diverse range of services benefits people, industrialists, small enterprises, artists, filmmakers, and large institutions every day. Amazon employs nearly 570,000 full-time and temporary staff, resulting in quarterly and yearly revenue growth over the last three years. Additionally, the company’s development was aided by the 2017 acquisition of Whole Foods Markets.
With Amazon’s increasing fame and usage, the firm should build systems and submissions to manage traffic securely. Due to Amazon’s prominence, the firm employs many security measures to stave off cyber-attacks (Amazon, n.d. a). It might be vital for Amazon to focus on three elements of cybersecurity, including antivirus and firewall, SSL/TLS certificates, and cybersecurity training tools. Antiviruses and firewalls may mitigate such risks as hacking, ransomware, and phishing. The SSL/TLS certificates encrypt data during transactions and ensure its integrity. As Amazon is a huge international corporation with thousands of employees, human errors represent a significant risk. Moreover, Amazon operates in a highly competitive market, and hence insider threats are also essential. Both of these two human-related risks may be mitigated by cybersecurity training tools.
Governance Frameworks and Standards
To address IT-related risks for e-Commerce and related business operations, a number of frameworks can be utilized individually and collectively. For instance, Thomas (2017) provides an example of how COBIT 5 and NIST CFS may be combined within one organization. One of the key tasks to ensure the security of e-Commerce is to maintain the safety of assets from external threats with hassle-free and convenient internal access. By combining COBIT 5 and NIST CFS, decision-makers are able to build a step-by-step management strategy and implement effective cybersecurity-related protocols, respectively (Thomas, 2017). Another example of their cumulative implementation is the development of a set of individual defense mechanisms by using COBIT 5 and evaluating their effectiveness and impact by introducing NIST CFS, which is also a strategy to minimize risks (Thomas, 2017). These solutions are complex but, at the same time, allow creating reliable protection for e-Commerce with a large volume of IT resources.
When implementing the aforementioned cybersecurity frameworks into the risk management programs of e-Commerce organizations, this is essential to consider the conditions of these standards’ intersection and the range of problems coverage. For instance, NIST CF adapts to specific conditions, but COBIT 5 does not, which requires building an interaction structure between them (Thomas, 2017). Another valuable tip for aligning these two frames is the ability to address “a gap between enterprise governance and operations,” which the author also calls “middleware” (Thomas, 2017, para. 4). Due to their peculiarities, ISO 27000/1/2 works well with COBIT 5 because the former’s flexibility complements the latter’s functionality and helps build a coherent defense structure (Gehrmann, 2012). ISO 27000/1/2 focuses exclusively on information security, which is beneficial for the e-Commerce sector, while NIST CF can address broader aspects (Mbanaso et al., 2019). Finally, ISO 27000/1/2 and COBIT 5 can complement each other by addressing privacy considerations while providing access to flexible risk management strategies (Gehrmann, 2012). These recommendations reflect the variability in the application of cybersecurity frameworks in e-Commerce organizations.
Cybersecurity Industry and Supplier Overview
Modern technology advances each year significantly and becomes the central component of most businesses and corporations. Organizations rely more and more on digital technologies not only in the IT industry but in all industries. Digital technology is highly beneficial in terms of storing and analyzing big data, optimizing documentation, improving workflow, and accelerating communication. However, it may not always be sufficiently reliable, as emerging digital technologies may be vulnerable while cybercrime is rapidly evolving as a business. Moreover, digital technologies advance fast, and hence it may be costly to maintain internal cybersecurity services. Therefore, organizations tend to hire the services or the products of independent cybersecurity suppliers. Cybersecurity providers have sufficient experience in the field and may benefit from the economy of scale, and consequently, their services are very cost-efficient. These services provide digital defense against phishing, mobile malware, or ransomware, significantly benefitting society by defending data from compromise. It may be necessary to identify potential vendors, which provide cybersecurity solutions suitable for Amazon.
Antivirus and Firewall
Antivirus software is considered a crucial aspect of the cyber security of any company. There are numerous vendors that sell antiviruses and firewalls, including Kaspersky, ESET, McAfee, Avast, Norton, and Bitfinder. All of these vendors provide similar packages of services for a relatively similar price. US News evaluated the antivirus solutions to create a list of the Top 9 antivirus vendors. The three best antivirus and firewall vendors are Bitifinder (first place), Kaspersky (second place), and Webroot (third place) (Kinny, 2021). Since Amazon is one of the largest companies in the world highly sensitive to cybersecurity risks, it would be appropriate for the company to use the best provider regardless of the price of the solution. Among the top three providers, it is best to select Kaspersky as an antivirus/firewall provider. Even though Bitfinder is considered the top provider, it does not have identity theft protection, which is crucial for Amazon (Kinny, 2021). Webroot also lacks identity theft protection and a virtual private network, which is crucial to mitigate the identified risks (Kinny, 2021). Thus, even though using Kaspersky may be expensive, it is the best option for Amazon.
SSL/TLS Certificates
The encryption certificates protect data in transit, which is one of the central cyber security risks of Amazon. The most widely known vendors include Comodo, DigiCert, GeoTrust, and GlobalSign (Pickavance, 2021). All the certificates have a similar level of protection regardless of the vendor. Therefore, Amazon should seek the best deal it can get in terms of pricing when selecting the vendor.
Cyber Security Training Tools
Cyber security training tools are crucial for preventing human errors and protecting against insider threats. Additionally, training helps to avoid phishing, ransomware, and malware, which is crucial for Amazon. According to eSecurity Planet, the top three vendors of cyber security training programs are KnowBe4, Cofense, and CybSafe (Robb, 2021). All these companies provide similar services; however, CybSafe can tailor itself according to the level of knowledge of the employees. This feature is crucial for Amazon, as it is a multinational company with more than a million employees that have different levels of cyber security awareness. It is crucial that training is personalized to take into account the personal needs and skills of the employees. Thus, CybSafe is the preferred vendor among the out-of-the-box solutions for cyber security training. However, it may still be appropriate for Amazon to develop its own training courses to meet the specific needs of the company.
Operational Risks Overview
Modern businesses face a wide variety of operational risks, and the cybersecurity industry is not an exception. In most cases, cybersecurity suppliers face the same or similar operational risks as any other digital product provider. Operational risks are closely linked with the uncertainties of both internal and external business environments. Therefore, it may be critical to comprehensively assess and analyze the business environment in order to identify possible risks and the extent of their influence. As the environment may include a large number of factors, operational risks may come from a wide diversity of sources, which have certain features and specific fields of impact.
Cyber attacks represent one of the most common and significant operational risks in the modern economy. Digital product suppliers are particularly vulnerable to cyber-attacks and related problems. The issue is significantly worsened by the fact that the digital environment is relatively young and is not always properly prepared for such threats. Paradoxically, cybersecurity suppliers also face cyber attacks as a potential risk. Even though these companies are significantly more prepared and have sufficient experience in the area, the cyberattacks aimed at such organizations are more severe. Such phenomena may be explained by the fact that breaching the cyber defense of a cybersecurity provider may give the attackers access to users of these cybersecurity products. According to some sources, successful attacks may cause $301 financial damage per employee to the targeted organization (Jacobs, 2018). The financial losses may considerably increase if the targeted organization is a cybersecurity supplier.
As with any other organization, operational risks may be closely related to human error. Such a risk may be significantly reduced by rational management and sufficient attention to human resource management, yet it may not be possible to avoid it completely. Cybersecurity services require both timely updates that utilize relevant digital security methods and techniques and constant maintenance. Even though digital product providers tend to use automation, it may not be possible to exclude the human factor completely. Human error may not only threaten the internal environment of a cybersecurity organization but also compromise the cybersecurity of provided products and services.
Another considerable operational risk is closely linked with outsourcing tendencies. Outsourcing is particularly relevant in organizations that produce digital products, and hence it is broadly utilized by cybersecurity companies. However, such an approach may represent a number of significant operational risks. Even though outsourcing is one of the most cost-efficient techniques that allow companies to achieve maximum productivity with minimal management costs, it may be less reliable. Digital products provided by outsourcing organizations may frequently not reflect the quality demands. Risk management is particularly vital for cybersecurity software providers, and hence these risks should be addressed.
There are also some less influential yet not insignificant factors and risks that affect the cybersecurity industry. As modern legislation tends to provide more and more control over the digital area, regulations may represent a considerable operational risk. The issue is worsened by the fact that these regulations emerge rapidly and consequently are hard to predict. Digital disruption also represents an essential operational risk in the industry. As technology advances, it may be critical for cybersecurity organizations to rely on the most relevant hardware and software.
Product Liability
In most cases, cybersecurity products and services are represented by digital products and particularly software. Therefore, cybersecurity product liability is similar to digital product liability. Even though there is a significant amount of legal frameworks designed to regulate software liability, current legislation may be insufficient. It may be hard to regulate an industry that advances rapidly and comprehensively, and hence, in most cases, the legislation may become obsolete, and laws are defined vaguely. However, as the industry develops, new laws emerge, improving product liability. Although it may be relatively complicated to introduce adequate and relevant legislation, cybersecurity product liability is constantly increasing. In general, the market is significantly more reliable now than it was a decade ago.
In 2016 a considerable “distributed denial of service” (DDoS) attack caused severe damage to consumer devices. Lack of cybersecurity caused the shutdown of internet connections on the US Eastern Seaboard (O’Brien, 2018). The incident affected a wide variety of devices, including personal devices, Wi-Fi routers, and even cameras. As digital technologies develop and spread into new fields and areas, the potential damage of such DDoS attacks increases. Therefore, California introduced the first Internet of Things security law (O’Brien, 2018). The law obliges manufacturers to provide devices with sufficient and reasonable cyber security features in order to protect both personal data and the device. Even though the law does not directly address the liability of cybersecurity products, it represents a considerable step towards the development of relevant legislation.
As already mentioned, there may be no adequate legal framework that could ensure cybersecurity product liability yet. In order to introduce such laws, it may be necessary to identify criteria, which may be used to assess digital product defectiveness. Furthermore, it is also necessary to identify the party that is responsible for the quality of the product and the damage caused by any malfunctions or flaws. According to some sources, legislation already faced similar issues as a result of rapid technological change (Dean, 2018). It may be possible that cybersecurity product liability may find sufficient legal support in the near future. Although current laws may not fully regulate the cybersecurity industry, organizations may and should rely on such products as the alternative is to have no security at all.
Conclusion
Digital technology is present in almost every industry and is utilized by most businesses regardless of the extent of their digitalization. As cybercrimes occur more and more frequently and become a profitable business, cybersecurity is more relevant today than ever. It may be vital for both small organizations and transnational corporations to utilize such products and services. However, it was determined that cybersecurity suppliers are affected by a significant number of operational risks. These risks may not only affect the supplier but also compromise the product and threaten the cybersecurity of the consumer. Moreover, current legislation does not provide sufficient product liability in the cybersecurity industry and may require further development. Nonetheless, even though there are considerable flaws and problems in the cybersecurity field, it is developing at rapid rates and may reach reasonable levels of reliability and quality in the near future. Therefore, it may be highly beneficial for both suppliers and purchasers to endeavor to ensure further advancement of both cybersecurity quality and related legislation.
References
Amazon. (n.d. a). Form 10-K. United States Securities and Exchange Commission. Web.
Amazon. (n.d.b). Amazon prime. Web.
Dean, B. (2018). An exploration of STRICT products liability and the Internet of things. SSRN Electronic Journal. Web.
Gehrmann, M. (2012). Combining ITIL, COBIT and ISO/IEC 27002 for structuring comprehensive information technology for management in organizations. Navus-Revista de Gestão e Tecnologia, 2(2), 66-77.
Jacobs, D. (2018). Top 11 operational risks for the year. Digital Transformation. Web.
Kinny, J. (2021). The best antivirus software of 2021. US News. Web.
Mbanaso, U. M., Abrahams, L., & Apene, O. Z. (2019). Conceptual design of a cybersecurity resilience maturity measurement (CRMM) framework. The African Journal of Information and Communication, 23, 1-26. Web.
O’Brien, H. M. (2018). Internet-of-Things security standards: Will states follow California’s lead or look across the pond for further guidance? Product Liability Advocate. Web.
Pickavance, M. (2021). Best SSL certificate services to buy from in 2021: Get the cheapest price today. Tech Radar. Web.
Robb, D. (2021). Best cybersecurity awareness training for employees in 2021. eSecurity Planet. Web.
Thomas, M. (2017). COBIT 5 and the NIST cybersecurity framework – A simplified framework solution. ISACA. Web.