The Risks of Opportunistic and Inadvertent Information Leakages

September 29, 2021

Meet Stephanie Eckerd, Jerry and Suzanne Ratledge Professor in Supply Chain Management at the University of Tennessee, Knoxville’s Haslam College of Business, home of the Global Supply Chain Institute. Professor Eckerd, who has published articles in numerous supply chain journals, holds a Ph.D. from Ohio State and was the recipient of the 2017 Harold E. Fearon Best Paper Award at The Journal of Supply Chain Management and the 2015 Chan Hahn Best Paper winner at The Academy of Management. Eckerd’s research has focused on the interplay of behavioral operations and supply chain management in the hopes of better understanding how various social and psychological factors influence buyer-supplier relations.

Would you explain a bit more how your recent research links the impact of data leakage to organizations’ supply chains, especially with the shift to remote that’s occurred over the past 18 months?

For a well-oiled supply chain, information sharing is really critical. Partners have to be able to share lots of different types of information with one another. They need to trust that what information is shared will be handled correctly, with care, by the other partner. That entails making sure organizations have processes and systems in place so that information does not leak out unintentionally.

Over the last year, remote working was blamed for causing considerable increases in inadvertent information leakages. An employee working from home just doesn’t have the same security systems they would be protected by when they’re in the physical office space. This could be caused by a complacency issue, or workers simply not knowing how to adequately protect themselves or struggling to set up and use the systems correctly.

Besides inadvertent data leakages, what’s the other type of leakage you’ve observed?

There’s also another, more ominous source of information leakage: opportunistic information leakage. These are purposeful, deliberate breaches. One well known example is when General Motors was suspected to have shared key suppliers’ confidential product design information with their competitor suppliers so that GM could obtain more favorable purchase prices. While I would say that on the whole, these types of leakages are less common than inadvertent leakages, they can be even more harmful to an organization.

What’s the most surprising insight your research uncovered about data leakages during the pandemic?

Our research not only explored the organization whose information was leaked, but also, other partners and other players in that supply chain network. We were actually curious about how observing organizations perceive the events that unfolded. For example, if I were a non-affected supplying organization working with GM at the time, do I respond? And if I respond, how does that answer change if the leakage were due to inadvertent causes as opposed to those opportunistic ones?

We walked away with a couple of key takeaways. First: observing firms really don’t care what the rationale was for an information leakage; their willingness to share information with the firm that leaked information decreased, whether it was intentional, based on the firm’s actions (or inactions), or if the leak was entirely accidental. Our second big takeaway was that it wasn’t just the risk factor that we found to be driving those changes in behavior; if the leakage was inadvertent for example, the observing manager is not just wary of the offending firm’s ability to protect data. They actually began to question the fairness, honesty, and the values of the offending firm as well. We think this has big implications for a firm that is on the receiving end of a lot of proprietary information. The damage done, even in those inadvertent leakages, has breadth, meaning that it spills over to supply chain partners who are not even directly affected by the breach. Beyond that, it also has depth of damages in the dimensions of trust between partners. Remediation efforts in these cases can be really costly and time-consuming for the firm that had the inadvertent information leakage, so it really does provide some solid impetus for those firms to be more proactive in their data protection.

As the scale of remote workers increases, how can companies fortify their data exchanges and ensure confidentiality?

There are many resources that organizations can look to. One source is the Verizon data breach security report. It contains a wealth of information regarding not only how breaches are occurring, but also, best practices given the current trends.

I think a few basic practices that can help fortify their security efforts include, first and foremost, making data protection everyone’s responsibility, from the executive team all the way down to the individual employee and contractor. Ultimately, companies must make sure that the systems in place are easy to use. And of course, top leadership must not only promote it and endorse safer practices, but must also comply with policies as well.

“I think the breadth and depth of the damage experienced when your organization causes an information leak should be concerning to any organization. Opportunistic leakages happen by choice, but I’d be particularly focused on those inadvertent breaches. The data out there suggests organizations cannot afford to play a waiting game.”

What else can organizations do right now to ensure the secure transfer of information?

In addition to the training on the tech side, there has to be a concentration of efforts that concern not only data protection- and mechanisms, like the use of VPNs – but also detection. Role-based access rights are another key practice that can help by restricting data access only to the people who need to have it. And then, of course, encryption and authentication procedures are useful as well. Detection systems are a must. It’s also helpful to have an organizational culture where employees feel safe reporting possible breaches. A lot of employees might feel concerned or scared of reporting something like that to their tech team, but the best action is to report a possible breach as soon as possible.

What’s the single biggest piece of advice you would give to corporations facing increased risk from information leakage?

I think the breadth and depth of the damage experienced when your organization causes an information leak should be concerning to any organization. Opportunistic leakages happen by choice, but I’d be particularly focused on those inadvertent breaches. The data out there suggests organizations cannot afford to play a waiting game. Yet a recent Harvard Business Review report suggests about half of the organizations out there are still dragging their feet to a degree that puts them at risk.

Stephanie Eckerd’s industry-leading work on data leakage and its impact on supply chain organizations is one of many areas of focus at the Haslam College of Business at the University of Tennessee, Knoxville. Driving value and societal impact through tracking evolving supply chain trends in real-time is one of the ways the Global Supply Chain Institute educates the next generation of supply chain leaders. Expand your supply chain management knowledge and opportunities by exploring Haslam’s programs for the Master of Science in Supply Chain Management – Online and the Executive MBA in Global Supply Chain.