Updated: Jul 13th, 2024

Amazon Company’s Risk-Management Strategy Research Paper

Exclusively available on Available only on IvyPanda® • No AI

Table of Contents

Executive Summary
Risk Management Profile
Acquisition Forecast
Discussion of Possible Vendors
Conclusion
References

Executive Summary

Since 1997, Amazon has been delivering top-quality services to its customers. Today, Amazon is a multinational company that operates in several markets e-commerce, cloud computing, digital streaming, and artificial intelligence markets. It employs 1.3 million people and serves hundreds of millions of customers around the globe (Amazon, 2021). It has created more than $1.6 trillion of wealth for shareowners, which makes it one of the world’s largest corporations (Amazon, 2021).

Amazon is considered one of the best employers and the world’s safest place of work (Amazon, 2021). The most famous products and services of Amazon include Amazon Prime, Amazon Marketplace, Alexa, and Amazon Web Services (AWS). The company is known for its support of sustainable development principles and takes high social responsibility (Amazon, 2021). In summary, Amazon is an international company that competes in several markets using the latest technology.

Amazon was started in Washington in 1994 before reconsolidating in Delaware in 1996. Amazon has strengthened its selling mechanism in its SEC Form 10K filing with the United States Securities and Exchange Commission (Amazon, 2021). The corporation is led by four ideologies: a customer-centric style instead of a competitor-focused approach, a craving for creativity, a commitment to operational distinction, and long-term performance.

The company went through an initial public offering (IPO) in 1997, which allowed it to transform the business from selling books to selling different products (Amazon, 2021). Despite high initial investments, Amazon was unable to make any profit for four years, showing first profit only in the fourth quarter of 2001 (CNN Money, 2002). Other important dates include launching Amazon Prime in 2005, moving to the cloud computing market with AWS in 2005-2011, and announcing Alexa Voice Service in 2014 (Amazon, 2021). In short, the company has a rich history of success in several markets.

The service discussed in the present paper is the retail platform used by the company to compete in the e-commerce business. The platform allows companies and individuals to sell their products. At the same time, Amazon uses the platform to sell its own products, acting both like an e-commerce retailer and an online marketplace. This implies that Amazon uses both B2C and B2B models, which allows it to have a large customer base with diversified revenue streams.

Amazon focuses on standardization of quality and procedures around the globe to ensure minimal deviations, which allowed it to create a strong brand image (Amazon, 2021). At the same time, the company adjusts its marketing to the needs of local individuals, which ensures the company’s strong customer relations. In short, Amazon maintains a high level of operations quality which allows it to successfully compete in the e-commerce market.

Since Amazon provides all services online, it is extremely sensitive to any problems with cyber security. Therefore, it is crucial for the company to continuously assess cybersecurity risks and implement necessary policies to ensure a steady flow of operations. The present paper aims at analyzing the cyber security risks Amazon faces and describing mitigation strategies to address the risks. Additionally, the paper provides an acquisition forecast that describes all the technologies, services, and products that need to be purchased to mitigate the identified risks.

Risk Management Profile

The analysis of risks revealed that Amazon faces six risks, including two types of hacking, phishing, ransomware, human error, and insider threats. Several strategies were identified to mitigate these risks. These strategies included using encryption of data at rest and data in transition, using security software, such as antivirus and firewalls, conducting cyber security training, controlling privileges of users, monitoring unusual activity, and ensuring the physical safety of assets.

All the risks and mitigation strategies are organized in Table 1 below. The table lists all the risks provides mitigation strategies and lists the required technologies, services, and products to implement the strategy. Additionally, the table includes the category of the threat according to the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology (NIST, 2018).

This framework “focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes” (NIST, 2018, p. v). The mitigation strategies were advised by Big Commerce (2020).

Table 1. Risk Management Profile Table

Risk ID	Risk	Risk Mitigation Strategy (description)	Implementation: Required Technologies, Products, or Services	NIST Cybersecurity Framework Category and Sub Category Identifier (e.g. ID.AM-1)	Sub-Category Description
001	Hacking: Loss of sensitive information from online transactions	Abstain from collecting and storing customer payment information and encrypt the communication between customer and the company; ensure that the payments system is PCI compliant.	Utilize Transport Layer Security, and purchase the needed certificates for encryption implementation.	PR.DS-2	Data-in-transit is protected.
002	Hacking: Database breach	Encrypt data at rest, use firewalls and antivirus software; use loss prevention technologies.	Purchase antivirus and firewalls to protect from security breaches; purchase and implement encryption certificates; purchase and implement loss prevention tools.	PR.DS-1	Data-in-rest has protected
003	Phishing	Install security software; update security software frequently; promote password policies; use multi-factor authentication; train employees to avoid phishing emails and websites; backup all the information.	Purchase antivirus and firewalls to detect phishing emails and websites; develop and conduct webinars and training programs for all employees to learn the consequences and protective measures against phishing; establish and maintain backup policies.	PR.AT-1; PR.IP-1; PR.IP-4	All users are informed and trained; A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality); Backups of information are conducted, maintained, and tested
004	Ransomware	Install security software; update security software frequently; promote password policies; use multi-factor authentication; backup all the information.	Purchase antivirus and firewall to detect ransomware; develop and conduct webinars and training programs for all employees to learn the consequences and protective measures against ransomware; establish and maintain backup policies.	PR.AT-1; PR.IP-1; PR.IP-4	All users are informed and trained; A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality); Backups of information are conducted, maintained, and tested
005	Trojan horses	Install security software; update security software frequently; Back up all the information.	Purchase antivirus and firewall to detect trojan horses	PR.DS-5	Protections against data leaks are implemented
006	Human Error	Control privileges; manage passwords carefully; change the culture to reduce cyber security risks; conduct needed training to avoid human errors.	Establish policies that minimize the privileges of users to prevent human error; promote the culture that encourages discussion and asking questions; use posters and reminders; teach employees basic cyber security topics.	PR.AT-2; PR.AC-1	Privileged users understand roles & responsibilities; Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes;
007	Insider threat	Conduct frequent risk assessments; establish physical security of assets; monitor and control unusual activity and remote access.	Order risk audits from cyber security companies; purchase surveillance equipment to ensure the security of physical assets; purchase, install, and use network traffic analyzers.	ID.RA-3; ID.AM-1; DE.AE-1	Threats, both internal and external, are identified and documented; Physical devices and systems within the organization are inventoried; a baseline of network operations and expected data flows for users and systems is established and managed
008	Credit card Fraud	Use CVV; conduct training of personnel; monitor unusual purchasing activity	Develop and conduct webinars and training programs for all employees to learn the consequences and protective measures against ransomware; establish security policies.	DE.CM-1	The network is monitored to detect potential cybersecurity events
009	DDoS attacks	Implement server DDoS protection; develop a coherent plan in case of DDoS attacks.	Purchase and install DDoS protection packages; develop and implement DDoS mitigation plans (such as creating mirrors of the website)	RS.RP-1	Response plan is executed during or after an event
010	Brute force attacks	Use strong passwords; use captcha; use two-factor identification; Monitor server logs.	Enforce strong password policies; enforce monitoring policies.	DE.CM-1	The network is monitored to detect potential cybersecurity events

The table demonstrated that several risks have similar mitigation strategies, such as using and updating security software, making frequent backups, and providing necessary training to employees. For instance, protection measures from phishing and ransomware are absolutely identical, as seen in Table 1. This implies that the risks should be addressed in their complexity rather than trying to mitigate one risk at a time. The acquisition forecast provided in the next section was created with this idea in mind.

Acquisition Forecast

Proposed Acquisition List

The present section aims at summarizing the products, services, and technologies. Amazon needs to mitigate the cyber security risks discussed in the previous section. The list provided below includes a minimum of technologies needed to address the identified risks. It should be expanded and moderated in the future to maximize cyber security at Amazon.

Antivirus. The antivirus software aims at detecting and deleting viruses from a computer along with preventing viruses from entering. Modern antivirus software can also be used for defending against malware (software used to disrupt or damage the computer), ransomware, and phishing. Amazon needs to purchase, install, and use antivirus software to defend all its computer and network equipment from malicious users. Table 1 demonstrates that antivirus is expected to defend against database breaches, phishing, and ransomware (Risks 2, 3, and 4).
Firewall. Firewalls monitor the incoming and outgoing traffic to allow or deny access using a set of defined security rules. Today, firewalls are often sold in tandem with antivirus software to maximize integrity between the products. Thus, it is always best to purchase these two products from the same vendor. According to the Risk management profile table, Amazon needs a firewall to protect it from database breaches, phishing, and ransomware (Risks 2, 3, and 4).
SSL/TLS certificates. The SSL/TLS technology is used to encrypt the data in transit between the remote server and the browser. This technology allows addressing Risk 1 (loss of sensitive information from online transactions).
Cyber security training tools for employees. These tools allow online training of employees to increase their level of awareness about cyber security risks. While Amazon can develop its own cyber security courses that would be very specific to Amazon’s culture, operations, and environment, it can also purchase out-of-the-box solutions. This product will help to minimize human errors and insider threats (Risks 5 and 6).

Discussion of Possible Vendors

Antivirus and Firewall

Antivirus software is considered a crucial aspect of the cyber security of any company. There are numerous vendors that sell antiviruses and firewalls, including Kaspersky, ESET, McAfee, Avast, Norton, and Bitfinder. All of these vendors provide similar packages of services for a relatively similar price. US News evaluated the antivirus solutions to create a list of Top 9 antivirus vendors. The three best antivirus and firewall vendors are Bitifinder (first place), Kaspersky (second place), and Webroot (third place) (Kinny, 2021).

Since Amazon is one of the largest companies in the world highly sensitive to cybersecurity risks, it would be appropriate for the company to use the best provider regardless of the price of the solution. Among the top three providers, it is best to select Kaspersky as an antivirus/firewall provider. Even though Bitfinder is considered the top provider, it does not have identity theft protection, which is crucial for Amazon (Kinny, 2021). Webroot also lacks identity theft protection and a virtual private network, which is crucial to mitigate the identified risks (Kinny, 2021). Thus, even though using Kaspersky may be expensive, it is the best option for Amazon.

SSL/TLS Certificates

The encryption certificates protect data in transit, which is one of the central cyber security risks of Amazon. The most widely known vendors include Comodo, DigiCert, GeoTrust, and GlobalSign (Pickavance, 2021). All the certificates have a similar level of protection regardless of the vendor. Therefore, Amazon should seek the best deal it can get in terms of pricing when selecting the vendor.

Cyber Security Training Tools

Cyber security training tools are crucial for preventing human errors and protecting against insider threats. Additionally, training helps to avoid phishing, ransomware, and malware, which is crucial for Amazon.

According to eSecurity Planet, the top three vendors of cyber security training programs are KnowBe4, Cofense, and CybSafe (Robb, 2021). All these companies provide similar services; however, CybSafe can tailor itself according to the level of knowledge of the employees. This feature is crucial for Amazon, as it is a multinational company with more than a million employees that have different levels of cyber security awareness.

It is crucial that training is personalized to take into account the personal needs and skills of the employees. Thus, CybSafe is the preferred vendor among the out-of-the-box solutions for cyber security training. However, it may still be appropriate for Amazon to develop its own training courses to meet the specific needs of the company.

Conclusion

Amazon is one of the world’s largest e-commerce companies operating around the globe. Since the majority of its business is conducted online, the company is highly sensitive to disruptions associated with cyber security.

The present paper identified strategies for mitigating six cyber security risks, which included installing and maintaining security software, conducting cybersecurity awareness courses, encrypting data in transit and at rest, controlling privileges of users, monitoring unusual activity, and ensuring physical safety of assets. In order to implement these strategies, the company will need to purchase antiviruses, firewalls, TLS/SSL certificates, and cyber security training tools.

References

Amazon. (2021). Annual report 2020. Web.

Big Commerce. (2020). What you need to know about securing your eCommerce site against cyber threats. Web.

CNN Money. (2002). Amazon posts a profit. Web.

Kinny, J. (2021). The best antivirus software of 2021. US News. Web.

National Institute of Standards and Technology. (2018). Framework for improving critical infrastructure cybersecurity. NIST. Web.

Pickavance, M. (2021). Best SSL certificate services to buy from in 2021: Get the cheapest price today. Tech Radar. Web.

Robb, D. Best cybersecurity awareness training for employees in 2021. eSecurity Planet. Web.

More related papers Related Essay Examples