Big FMCG companies (like Kelloggs’s, Nestlé, J&J, General Mills…) have a really huge amount of consumers data, and the multiple websites they possess are as many potential threats to that data.
Considering the competition between brands and the number of organizations trying to damage them, for various reasons, FMCG companies also face a big brand protection challenge (maybe bigger than the consumers’ data protection one).

In addition, many of these companies – if not all – outsource the development of their websites to multiple external technical agencies, making the quality and security controls a bit more complex to handle than if everything was home-made.

security compass illustration

Technical agencies working for these companies are therefore forced to go through more or less strict procedures, audits and controls, to ensure that the full outsourcing process is handled as well as possible.

  • Global IT audit, to make sure the technical agency’s IT infrastructure is strong enough
  • Web application audit for several criteria (privacy and security, among others)
  • Hosting infrastructure audit

Web application vulnerability scannings and penetration tests

Not all FMCG companies follow this policy, but from information we have and could collect, some have been doing this for years and some started very recently (a few months ago). In the end, more than half of the top 10 FMCG companies are at least performing web application security scannings or penetration tests, particularly on web applications handling consumer PII (Personally Identifiable Information).

The process of assessing the security level of web applications seems to be sometimes quite difficult, tedious and stressful for technical agencies, especially if not educated on security matters, but it is a necessary step, considering risks associated with data, and brand reputation. The process is even more difficult for marketing agencies, used to deal with tight deadlines, focused on ergonomics, creativity, design, ROI and not used to deal with bank IT procedures.

Websites go through a series of tests (at least security, sometimes along with accessibility and privacy) and don’t go live until critical and intermediate vulnerabilities have been fixed. A second series of tests then confirms remediation.
After every major technical update of the website, security is re-assessed by scanning at least the portion of the site that has been modified.

Web platform design reviews

As you may imagine, most of these websites are not only static pages, standalone games or campaigns. The vast majority of the websites aim at collecting data, or at least use existing data and are therefore connected to a global platform and use external services. Risks related to data are also high on this aspect. As a consequence, some of these FMCG companies also take part in the technical design process of websites they outsource.

Risk mitigation

As said in the first lines of this article, the risks FMCG companies face with their websites are mainly on consumer data and brand reputation. Recent headlines like Dominos’ database hacked and others push big companies into taking action: these quality and security controls are a risk mitigation strategy.

Let’s not forget that big companies managing big sets of data are obvious targets, but smaller ones are not spared nor immune to attacks. Just smaller.