There is no debate, regardless of sector, that an organization’s most valuable resource is its people. It makes sense then that an Employee Assistance Program (EAP) can support a holistic Insider Risk Management (IRM) program. Indeed, an EAP is a worthy investment that produces significant returns.
The Case for an Employee Assistance Program
The U.S. Department of Labor conducted a study 23 years ago which quantified the return on investment of an EAP and found that “for every $1 invested in an EAP, employers save an average of $5-16.” In 2023, that equates to US$11.6-37.12.
The U.S. Office of Personnel Management (OPM) noted that this ROI is “due in part to the notably low operating cost of an EAP in comparison to the high cost incurred by issues such as lack of productivity, absenteeism, accidents, and negative mental and physical health consequences which employees may experience when not appropriately afforded wellness resources, services, and supports.”
Any seasoned IRM manager would agree that the above issues are also recognized behavioral triggers for making poor or malevolent choices associated with data loss. Indeed, an EPA not only supports people’s mental wellness, but it addresses insider security risk proactively – without a burdening the business budget.
The Power of People
The DTEX i3 2023 Insider Risk Investigations Report found that employee attrition increased by 20% in the first half of 2022, and 75% of insider threat investigations were initiated by HR in the second half of 2022.
The retention of a dedicated and loyal workforce is the desired continuum, observed Dr. Sarah E. Minnis, Associate Professor, Master of Science in Human Resource Program at Western Carolina University. She went on to say, “We invest HR money into recruiting, onboarding, and training. The last thing one wants is to have an employee leave if they can be retained.”
According to Dr. Minnis, the EAP is a key element for engaging (or reengaging) employees.
“Employees in crisis begin to exhibit behavioral clues,” added Minnis. She explained, “It could be padding of an expense, taking an undocumented day off, thinking ‘no one will notice’ and by and large they are right, as many entities expect their employees to engage in self-care. When a manager/supervisor/peer has an inkling that an employee may be stressed or overwhelmed, engaging their intervention may stop the employee from engaging in a ‘bold move’.”
EAP in your Insider Risk Program
The inclusion of the EAP into your insider risk program aligns perfectly with how the DTEX i3 Insider Risk Resolution Decision Tree provides a key to understanding employee intent.
As noted by Kellie Roessler, Insider Risk Advocate & Author | i3 Content Lead at DTEX systems, “When it comes to insider risk resolution and mitigation, the organization is not a bystander. A proportionate approach to training versus enforcement is key to stopping insider risks from becoming insider threats.”
This view is universal, as the Australian Government’s Commonwealth Fraud Prevention Centre highlighted in its 2023 Countering the Insider Threat guide. The 40-page PDF highlights the efficacy of direct engagement with the workforce in developing “personnel awareness, assistance and screening programs.”
All this said, organizations unable to invest in an EAP can still offer support to their employees to drive better business and security outcomes.
The DTEX i3 Communications Framework provides practitioners with an easily understood and shared playbook on communicating in a manner that offers employees support, without emphasizing suspicion, and drives to garnering an understanding of the intent by the insider risk team.
People, Process, and Technology
In a whitepaper produced by Symantec, the authors observed the need for clarity, process and procedures relating to an EAP to support people and in turn mitigate insider risk.
The authors highlight the need to educate employees about the benefits of and how to access the EAP and other support services, to which employees can turn for confidential short-term treatment and referral.
Indeed, the ‘See something, say something’ concept isn’t just for threats relating to physical security. I was the benefactor of this strategy early in my government career, when I had a caring manager point out that I was on the cusp of burnout. They then referred me to the EAP and a few days of mental health rest.
I have no doubt his action enabled me to be even more productive. His compassion certainly moved the needle on my admiration for the individual who exhibited a caring attitude, not just for the success of the work underway, but also for those who were executing the objectives to ensure a successful and desired outcome.
The Cybersecurity and Infrastructure Security Agency also advocates for a multi-disciplinary governance group that includes the EAP. In its Insider Threat Mitigation Guide, the authors note that the governance group “should make modifications to existing documentation or programs when needed or create new policies and standards tailoring the organization to comply with the insider threat program and required legal constraints.”
EAP Benefits
Commonsense tells us when we invest in our employees, our employees invest in us. OPM agrees, “The EAP [creates] stability and loyalty within the workforce.” This helps create the employer-employee relationship to become less transactional and more of an investment toward a unified success at both the macro and micro level.
Entities wishing to measure the value of their employee wellness program, of which an EAP is a part, may wish to review the very useful OPM guide.
Additionally, from a financial perspective, the ROI per employee of having an EAP as part of your holistic insider risk program is between US$322.94-1, 722.37: A solid investment by any measure.
Minnis concluded her thoughts with the observation, “Companies who take care of their employees inside (whatever the machinations) will be reflected outside, and those who treat their employees poorly will have retention issues, hiring issues and productivity issues.”
Does your insider risk program include your EAP?