ITnews

State of Security 2026: Data Security


Case study – Toll Group

The rapidly evolving cyber threat landscape has led the global integrated logistics and supply chain company Toll Group to adopt a more comprehensive approach to data security – one that extends beyond technology controls to encompass vendor selection, contract management, and third-party risk governance.

According to global data protection lead Vasant Prabhu, traditional approaches built around stronger firewalls, tighter access controls, and perimeter-based defences were no longer sufficient for a supply chain operating at global scale.

“The most dangerous door is often one you didn’t even know existed,” Prabhu said.

“The journey has been about shifting from defending a perimeter to understanding the entire terrain, because the threat doesn’t stop evolving.”

With operations spanning more than 50 countries, and logistics increasingly recognised as a high-risk sector within the global economy, Toll Group has embedded security requirements directly into procurement processes, contracts, and third-party risk decisions as a condition of doing business.

“If you’re only managing security after risk materialises, you’re already too late,” Prabhu said.

“Data security isn’t an abstract problem – you’re dealing with customer PII, vendor records, and operational telemetry, all of it moving across borders and third-party systems where you can never fully guarantee control.”

Prabhu noted that because Toll Group’s assets are designated as critical infrastructure under Australia’s SOCI Act, the organisation faces obligations that extend beyond commercial risk.

“A failure isn’t just a commercial or reputational issue – it has a national impact,” he said.

“That’s the reality we operate in every day given shifting geopolitical alignment and global privacy mandates.”

The result is a threat surface that continues to expand faster than the controls designed to protect it.

“Between third-party vendor risk, multi-jurisdictional complexity, and nation-state threats targeting critical infrastructure – and AI introducing data flows that existing frameworks weren’t built to govern – we’re constantly managing a perimeter that doesn’t stand still,” Prabhu said.

“We must identify every member in the ecosystem and get an assessment on each, and that is phenomenal amount of work, given resource constraints and evolving threat perception.”

To address these challenges, Toll Group has strengthened vendor due diligence processes, tightened third-party access controls, and increased scrutiny around how AI technologies interact with enterprise data environments. Prabhu said third-party risk platforms such as ProcessUnity have helped ensure that “security is a condition of entry, not an afterthought”.

The organisation’s current focus on supply chain and vendor security also follows the significant cyberattack Toll Group experienced in 2020.

“We’ve already lived through what the reactive version looks like, and at the scale we operate, you can’t afford to learn that lesson again,” Prabhu said.

“The obligation to get ahead of it was as much about hard experience as it was about regulatory pressure and emerging threats.”

Prabhu added that the growing use of AI across Toll Group projects was creating an entirely new layer of complexity for data security and governance.

“Suddenly you’re asking questions about what data enters a model, is there a way of measuring the model performance, and what is data residency and processing in different jurisdictions as per regulation, and who sees the outputs – and realising your existing controls were never designed with that in mind,” he said.

“It requires a complete re-look at the data security strategy.”

“It’s going to be a lot worse with Agentic AI entering the mix. Good governance and guardrails is mandatory.”

 



Source link