Updated:

Amazon Company’s Risk-Management Strategy Research Paper

Exclusively available on Available only on IvyPanda® Made by Human No AI

Executive Summary

Since 1997, Amazon has been delivering top-quality services to its customers. Today, Amazon is a multinational company that operates in several markets e-commerce, cloud computing, digital streaming, and artificial intelligence markets. It employs 1.3 million people and serves hundreds of millions of customers around the globe (Amazon, 2021). It has created more than $1.6 trillion of wealth for shareowners, which makes it one of the world’s largest corporations (Amazon, 2021).

Amazon is considered one of the best employers and the world’s safest place of work (Amazon, 2021). The most famous products and services of Amazon include Amazon Prime, Amazon Marketplace, Alexa, and Amazon Web Services (AWS). The company is known for its support of sustainable development principles and takes high social responsibility (Amazon, 2021). In summary, Amazon is an international company that competes in several markets using the latest technology.

Amazon was started in Washington in 1994 before reconsolidating in Delaware in 1996. Amazon has strengthened its selling mechanism in its SEC Form 10K filing with the United States Securities and Exchange Commission (Amazon, 2021). The corporation is led by four ideologies: a customer-centric style instead of a competitor-focused approach, a craving for creativity, a commitment to operational distinction, and long-term performance.

The company went through an initial public offering (IPO) in 1997, which allowed it to transform the business from selling books to selling different products (Amazon, 2021). Despite high initial investments, Amazon was unable to make any profit for four years, showing first profit only in the fourth quarter of 2001 (CNN Money, 2002). Other important dates include launching Amazon Prime in 2005, moving to the cloud computing market with AWS in 2005-2011, and announcing Alexa Voice Service in 2014 (Amazon, 2021). In short, the company has a rich history of success in several markets.

The service discussed in the present paper is the retail platform used by the company to compete in the e-commerce business. The platform allows companies and individuals to sell their products. At the same time, Amazon uses the platform to sell its own products, acting both like an e-commerce retailer and an online marketplace. This implies that Amazon uses both B2C and B2B models, which allows it to have a large customer base with diversified revenue streams.

Amazon focuses on standardization of quality and procedures around the globe to ensure minimal deviations, which allowed it to create a strong brand image (Amazon, 2021). At the same time, the company adjusts its marketing to the needs of local individuals, which ensures the company’s strong customer relations. In short, Amazon maintains a high level of operations quality which allows it to successfully compete in the e-commerce market.

Since Amazon provides all services online, it is extremely sensitive to any problems with cyber security. Therefore, it is crucial for the company to continuously assess cybersecurity risks and implement necessary policies to ensure a steady flow of operations. The present paper aims at analyzing the cyber security risks Amazon faces and describing mitigation strategies to address the risks. Additionally, the paper provides an acquisition forecast that describes all the technologies, services, and products that need to be purchased to mitigate the identified risks.

Risk Management Profile

The analysis of risks revealed that Amazon faces six risks, including two types of hacking, phishing, ransomware, human error, and insider threats. Several strategies were identified to mitigate these risks. These strategies included using encryption of data at rest and data in transition, using security software, such as antivirus and firewalls, conducting cyber security training, controlling privileges of users, monitoring unusual activity, and ensuring the physical safety of assets.

All the risks and mitigation strategies are organized in Table 1 below. The table lists all the risks provides mitigation strategies and lists the required technologies, services, and products to implement the strategy. Additionally, the table includes the category of the threat according to the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology (NIST, 2018).

This framework “focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes” (NIST, 2018, p. v). The mitigation strategies were advised by Big Commerce (2020).

Table 1. Risk Management Profile Table

Risk IDRiskRisk Mitigation Strategy (description)Implementation: Required Technologies, Products, or ServicesNIST Cybersecurity Framework Category and Sub Category Identifier (e.g. ID.AM-1)Sub-Category Description
001Hacking: Loss of sensitive information from online transactionsAbstain from collecting and storing customer payment information and encrypt the communication between customer and the company; ensure that the payments system is PCI compliant.Utilize Transport Layer Security, and purchase the needed certificates for encryption implementation.PR.DS-2Data-in-transit is protected.
002Hacking: Database breachEncrypt data at rest, use firewalls and antivirus software; use loss prevention technologies.Purchase antivirus and firewalls to protect from security breaches; purchase and implement encryption certificates; purchase and implement loss prevention tools.PR.DS-1Data-in-rest has protected
003PhishingInstall security software; update security software frequently; promote password policies; use multi-factor authentication; train employees to avoid phishing emails and websites; backup all the information.Purchase antivirus and firewalls to detect phishing emails and websites; develop and conduct webinars and training programs for all employees to learn the consequences and protective measures against phishing; establish and maintain backup policies.PR.AT-1; PR.IP-1; PR.IP-4All users are informed and trained; A baseline configuration of
information technology/industrial control
systems is created and maintained
incorporating security principles (e.g.
concept of least functionality); Backups of information are
conducted, maintained, and tested
004RansomwareInstall security software; update security software frequently; promote password policies; use multi-factor authentication; backup all the information.Purchase antivirus and firewall to detect ransomware; develop and conduct webinars and training programs for all employees to learn the consequences and protective measures against ransomware; establish and maintain backup policies.PR.AT-1; PR.IP-1; PR.IP-4All users are informed and trained; A baseline configuration of
information technology/industrial control
systems is created and maintained
incorporating security principles (e.g.
concept of least functionality); Backups of information are
conducted, maintained, and tested
005Trojan horsesInstall security software; update security software frequently;
Back up all the information.
Purchase antivirus and firewall to detect trojan horsesPR.DS-5Protections against data leaks are implemented
006Human ErrorControl privileges; manage passwords carefully; change the culture to reduce cyber security risks; conduct needed training to avoid human errors.Establish policies that minimize the privileges of users to prevent human error; promote the culture that encourages discussion and asking questions; use posters and reminders; teach employees basic cyber security topics.PR.AT-2; PR.AC-1Privileged users understand
roles & responsibilities; Identities and credentials are
issued, managed, verified, revoked, and
audited for authorized devices, users and
processes;
007Insider threatConduct frequent risk assessments; establish physical security of assets; monitor and control unusual activity and remote access.Order risk audits from cyber security companies; purchase surveillance equipment to ensure the security of physical assets; purchase, install, and use network traffic analyzers.ID.RA-3; ID.AM-1; DE.AE-1Threats, both internal and
external, are identified and documented; Physical devices and systems
within the organization are inventoried; a baseline of network
operations and expected data flows for users and systems is established and
managed
008Credit card FraudUse CVV; conduct training of personnel; monitor unusual purchasing activityDevelop and conduct webinars and training programs for all employees to learn the consequences and protective measures against ransomware; establish security policies.DE.CM-1The network is monitored to detect potential cybersecurity events
009DDoS attacksImplement server DDoS protection; develop a coherent plan in case of DDoS attacks.Purchase and install DDoS protection packages; develop and implement DDoS mitigation plans (such as creating mirrors of the website)RS.RP-1Response plan is executed during or after an event
010Brute force attacksUse strong passwords; use captcha; use two-factor identification;
Monitor server logs.
Enforce strong password policies; enforce monitoring policies.DE.CM-1The network is monitored to detect potential cybersecurity events

The table demonstrated that several risks have similar mitigation strategies, such as using and updating security software, making frequent backups, and providing necessary training to employees. For instance, protection measures from phishing and ransomware are absolutely identical, as seen in Table 1. This implies that the risks should be addressed in their complexity rather than trying to mitigate one risk at a time. The acquisition forecast provided in the next section was created with this idea in mind.

Acquisition Forecast

Proposed Acquisition List

The present section aims at summarizing the products, services, and technologies. Amazon needs to mitigate the cyber security risks discussed in the previous section. The list provided below includes a minimum of technologies needed to address the identified risks. It should be expanded and moderated in the future to maximize cyber security at Amazon.

  1. Antivirus. The antivirus software aims at detecting and deleting viruses from a computer along with preventing viruses from entering. Modern antivirus software can also be used for defending against malware (software used to disrupt or damage the computer), ransomware, and phishing. Amazon needs to purchase, install, and use antivirus software to defend all its computer and network equipment from malicious users. Table 1 demonstrates that antivirus is expected to defend against database breaches, phishing, and ransomware (Risks 2, 3, and 4).
  2. Firewall. Firewalls monitor the incoming and outgoing traffic to allow or deny access using a set of defined security rules. Today, firewalls are often sold in tandem with antivirus software to maximize integrity between the products. Thus, it is always best to purchase these two products from the same vendor. According to the Risk management profile table, Amazon needs a firewall to protect it from database breaches, phishing, and ransomware (Risks 2, 3, and 4).
  3. SSL/TLS certificates. The SSL/TLS technology is used to encrypt the data in transit between the remote server and the browser. This technology allows addressing Risk 1 (loss of sensitive information from online transactions).
  4. Cyber security training tools for employees. These tools allow online training of employees to increase their level of awareness about cyber security risks. While Amazon can develop its own cyber security courses that would be very specific to Amazon’s culture, operations, and environment, it can also purchase out-of-the-box solutions. This product will help to minimize human errors and insider threats (Risks 5 and 6).

Discussion of Possible Vendors

Antivirus and Firewall

Antivirus software is considered a crucial aspect of the cyber security of any company. There are numerous vendors that sell antiviruses and firewalls, including Kaspersky, ESET, McAfee, Avast, Norton, and Bitfinder. All of these vendors provide similar packages of services for a relatively similar price. US News evaluated the antivirus solutions to create a list of Top 9 antivirus vendors. The three best antivirus and firewall vendors are Bitifinder (first place), Kaspersky (second place), and Webroot (third place) (Kinny, 2021).

Since Amazon is one of the largest companies in the world highly sensitive to cybersecurity risks, it would be appropriate for the company to use the best provider regardless of the price of the solution. Among the top three providers, it is best to select Kaspersky as an antivirus/firewall provider. Even though Bitfinder is considered the top provider, it does not have identity theft protection, which is crucial for Amazon (Kinny, 2021). Webroot also lacks identity theft protection and a virtual private network, which is crucial to mitigate the identified risks (Kinny, 2021). Thus, even though using Kaspersky may be expensive, it is the best option for Amazon.

SSL/TLS Certificates

The encryption certificates protect data in transit, which is one of the central cyber security risks of Amazon. The most widely known vendors include Comodo, DigiCert, GeoTrust, and GlobalSign (Pickavance, 2021). All the certificates have a similar level of protection regardless of the vendor. Therefore, Amazon should seek the best deal it can get in terms of pricing when selecting the vendor.

Cyber Security Training Tools

Cyber security training tools are crucial for preventing human errors and protecting against insider threats. Additionally, training helps to avoid phishing, ransomware, and malware, which is crucial for Amazon.

According to eSecurity Planet, the top three vendors of cyber security training programs are KnowBe4, Cofense, and CybSafe (Robb, 2021). All these companies provide similar services; however, CybSafe can tailor itself according to the level of knowledge of the employees. This feature is crucial for Amazon, as it is a multinational company with more than a million employees that have different levels of cyber security awareness.

It is crucial that training is personalized to take into account the personal needs and skills of the employees. Thus, CybSafe is the preferred vendor among the out-of-the-box solutions for cyber security training. However, it may still be appropriate for Amazon to develop its own training courses to meet the specific needs of the company.

Conclusion

Amazon is one of the world’s largest e-commerce companies operating around the globe. Since the majority of its business is conducted online, the company is highly sensitive to disruptions associated with cyber security.

The present paper identified strategies for mitigating six cyber security risks, which included installing and maintaining security software, conducting cybersecurity awareness courses, encrypting data in transit and at rest, controlling privileges of users, monitoring unusual activity, and ensuring physical safety of assets. In order to implement these strategies, the company will need to purchase antiviruses, firewalls, TLS/SSL certificates, and cyber security training tools.

References

Amazon. (2021). Annual report 2020. Web.

Big Commerce. (2020). . Web.

CNN Money. (2002). Amazon posts a profit. Web.

Kinny, J. (2021). The best antivirus software of 2021. US News. Web.

National Institute of Standards and Technology. (2018). . NIST. Web.

Pickavance, M. (2021). Best SSL certificate services to buy from in 2021: Get the cheapest price today. Tech Radar. Web.

Robb, D. . eSecurity Planet. Web.

More related papers Related Essay Examples
Cite This paper
You're welcome to use this sample in your assignment. Be sure to cite it correctly

Reference

IvyPanda. (2022, October 30). Amazon Company's Risk-Management Strategy. https://ivypanda.com/essays/amazon-companys-risk-management-strategy/

Work Cited

"Amazon Company's Risk-Management Strategy." IvyPanda, 30 Oct. 2022, ivypanda.com/essays/amazon-companys-risk-management-strategy/.

References

IvyPanda. (2022) 'Amazon Company's Risk-Management Strategy'. 30 October.

References

IvyPanda. 2022. "Amazon Company's Risk-Management Strategy." October 30, 2022. https://ivypanda.com/essays/amazon-companys-risk-management-strategy/.

1. IvyPanda. "Amazon Company's Risk-Management Strategy." October 30, 2022. https://ivypanda.com/essays/amazon-companys-risk-management-strategy/.


Bibliography


IvyPanda. "Amazon Company's Risk-Management Strategy." October 30, 2022. https://ivypanda.com/essays/amazon-companys-risk-management-strategy/.

If, for any reason, you believe that this content should not be published on our website, please request its removal.
Updated:
This academic paper example has been carefully picked, checked and refined by our editorial team.
No AI was involved: only quilified experts contributed.
You are free to use it for the following purposes:
  • To find inspiration for your paper and overcome writer’s block
  • As a source of information (ensure proper referencing)
  • As a template for you assignment
Privacy Settings

IvyPanda uses cookies and similar technologies to enhance your experience, enabling functionalities such as:

  • Basic site functions
  • Ensuring secure, safe transactions
  • Secure account login
  • Remembering account, browser, and regional preferences
  • Remembering privacy and security settings
  • Analyzing site traffic and usage
  • Personalized search, content, and recommendations
  • Displaying relevant, targeted ads on and off IvyPanda

Please refer to IvyPanda's Cookies Policy and Privacy Policy for detailed information.

Required Cookies & Technologies
Always active

Certain technologies we use are essential for critical functions such as security and site integrity, account authentication, security and privacy preferences, internal site usage and maintenance data, and ensuring the site operates correctly for browsing and transactions.

Site Customization

Cookies and similar technologies are used to enhance your experience by:

  • Remembering general and regional preferences
  • Personalizing content, search, recommendations, and offers

Some functions, such as personalized recommendations, account preferences, or localization, may not work correctly without these technologies. For more details, please refer to IvyPanda's Cookies Policy.

Personalized Advertising

To enable personalized advertising (such as interest-based ads), we may share your data with our marketing and advertising partners using cookies and other technologies. These partners may have their own information collected about you. Turning off the personalized advertising setting won't stop you from seeing IvyPanda ads, but it may make the ads you see less relevant or more repetitive.

Personalized advertising may be considered a "sale" or "sharing" of the information under California and other state privacy laws, and you may have the right to opt out. Turning off personalized advertising allows you to exercise your right to opt out. Learn more in IvyPanda's Cookies Policy and Privacy Policy.

1 / 1