
Insurance is just betting against yourself.
Why would you bet against yourself if you know what you're doing?
BOFH logo telephone with devil's horns So we've got our annual insurance audit to validate the company's worthless cybercover – a policy with more get-out-of-jail free cards than a prison monopoly set. "Just going over your general security settings … Can you tell me your password policy for users?" Brian, the guy from the …
This post has been deleted by its author
As members of the Board of Directors, not paying for insurance means Great Savings for Justice, our stock portfolios' values increase, and we give ourselves bonuses for being awesome financial stewards.
If our factory burns down and we go out of business, we get our Golden Parachutes, and jobs elsewhere in the industry, with even fatter compensation packages.
Where's the downside (to us)?
I would agree with you on something like a washing machine warranty. Were it to break I could afford to buy a new one, however having house insurance matters. It's all about cashflow.
I had a house fire many years ago caused by an immersion heater timer. We were out at the time and got back to find quite a mess. The total paid out by the insurance company was £118,000. Even if were to pay more than that in a lifetime of premiums (I won't) I would prefer to spend that over a lifetime and not all at once. Sorting life out was hard enough with the insurance, without it it would be devastating.
Minor nitpick: In many countries, such as the UK, the life insurance pays out to a named beneficiary. It's nothing to do with your will. (Maybe there are countries that do it differently?)
The reason for that is that your will divides up your "estate" - everything you owned. Many countries, including the UK, tax estates. So if the life insurance money went into that pot it would be taxed. By paying it directly you avoid that tax. Also if sorting out the estate takes a long time, that doesn't delay the life insurance payment.
It's optional in the UK - a policy can either be written to be owned by the life insured (and the payout therefore goes into the estate on death) or to be owned by a named beneficiary (who is then technically liable for paying the premiums) which keeps the payment outside the deceased estate. If the estate is subject to income tax, both options benefit from professional advice or a lot of personal research.
>the life insurance pays out to a named beneficiary. It's nothing to do with your will.
You need to have specified a named beneficiary and they need to be traceable, otherwise, it is paid to the Estate....
Pension pots are similar. However, if you haven't informed the pension provider of your legal partner, they can refuse payout...
I always look at Home Insurance in this way - I could put the money I spend in a bank account in case I ever had a fire and needed to rebuild. And in the long run I would absolutely save a ton of cash. However, if my house burns down at the end of the first year (or first 10 years), before I have the money to rebuild saved up. Well then, frankly, I'd be up sh&t creek without a paddle, and the choco crocs would be circling.
Home Insurance allows me to not have to worry about when that fire happens, whilst knowing the pot of money will be there to rebuild if/when it happens (and fingers crossed, it never does happen). Ok, you have to take in the millions of caveats that the insurer will use to try and get out of it's obligation, but it is still a better option, if you cant have the money there from the start.
Cyber Insurance though, is a complete waste of everyone's time, and the sooner it dies, the better for everyone...
That is indeed the first and last principle of all insurance.
In between is the principle that you only take insurance that you know have a history of paying out. Home insurance generally pays out, but many others do not. Check it!
In places where the car insurance companies effectively run the justice system as it relates to car accidents, you may be legally required to get car insurance to drive, or effectively required because if you're involved in an accident and uninsured then you are at fault. It's a bit of a way off cyber insurance, but there are sometimes other reasons to get insurance.
Over here you're required to get insurance that pays for someone else's damage when you're at fault for an accident (unless you're driving in a criminal way, e.g. drink driving).
There aren't a lot of people on this planet who can afford paying for an expensive car + lifelong medical costs due to an injury.
Here on the old continent, car liability insurance is mandatory, to protect the public from you operating a potential deadly piece of machinery.
Comprehensive or theft insurance is not, as the public cares very little if you have to take the bus after causing an accident with said piece of sh^Hteel. You may decide to take the risk of losing your car, and the lower it gets in value, the less attractive comprehensive insurance becomes. But if you should injure a cyclist, the insurance company will pay (and, should you have been intoxicated, may recover their losses from you). The victim should not have to suffer from your bankruptcy.
>AND if you cannot afford to replace it.
Disagree...
I can afford to replace my recently dead freezer, however, it was insured and will get replaced for free. Okay I took a gamble, it was 15+ years old, so when the insurer accepted it, the odds were in my favour, and the replacement will require a little hassle (ie. it won't be as simple as an online purchase).
I perform a similar trick with my steam iron and kettle: with one purchase I have a high certainty the 3 year extended insurance will be paying out; I live in a hard water area.
"I perform a similar trick with my steam iron and kettle: with one purchase I have a high certainty the 3 year extended insurance will be paying out; I live in a hard water area."
A canny insurer may well have a clause that includes "proper maintenance" and twist that to check if you have used deionised bottled water for the iron and/or used a regular descaler treatment for both items. As someone who does warrenty repairs in the IT industry, I'd expect anyone doing kitchen appliance repair/replacement to do the same as me. Check first for "user damage". Allowing a kettle to build up lime scale in a known hard water area would probably be user damage. Except I suppose that these days it's probably not economic to even attempt to repair those items so that user damage won't even be looked at and the mis-use by the user simply adds a few pennies to everyone's insurance. The company won't care because the customers are paying for it.
Agree, but high st. stores, their "warranty inspector" will give the item a simple lookover for, as you note, obvious damage and then pull an equivalent item off-the-shelf.
For other goods, I've tended to go with the manufacturer's included warranty and effectively self insured. As you note, insurance requires a canny mindest; I don't expect to beat the insurers but I do expect to reduce my overall expenditure on insurance.
Recently had a laugh, the new managers at a client, decided they were overpaying on the insurance (with NFU), and switched to a cheaper insurer, who as a condition, required them to keep an accurate asset register. Needless to say the cost of creating and now maintaining that asset register exceed the premium saving, plus NFU expected stuff to fail (anyone who has worked with farmers will understand why), so had built in a level of payout; which meant they effectively covered the replacement of a couple of laptops every year with no hassle, for which there was no explicit budget..
I could put the money I spend in a bank account in case I ever had a fire and needed to rebuild. And in the long run I would absolutely save a ton of cash.
You either have a very cheap house, or hugely expensive insurance.
Just looking at rebuilding costs, I'd have to pay my annual home insurance premium for about 400 years to reach parity with the cost of rebuilding.
I was thinking the same thing, an avg home would cost in the region of 100-130k to rebuild... I just spent £18k converting a garage and a cloakroom into a bedroom & ensuite so my mum can come to live with us. If I'd paid a contractor to do it all from start to finish, that would have easily been £25k
I wouldn't call it overinsured. Buildings insurance is supposed to cover for a rebuild. The assessed "value" is supposed to cover up to a full demolition/clearance/rebuild. If it doesn't, then the insurer or their assessor got it wrong and you may well be able to claim on their professional liability insurance.
Now look at what your policy says about accommodation and other costs incured, whilst you await the restoration of a habitable home.
However, for many they are less likely to be under-insured on the buildings than they are on the contents, which is where the insurer will be looking to save money. So whilst you might get the house rebuilt, it may be lacking in fixtures and fittings ie. the fitted kitchen is covered under the contents not the buildings insurance.
3 years after I moved in to my property I had a fire which gutted the kitchen, and the rest of the property was covered in soot, the bathroom had to be replaced as well purely from smoke damage.
I will be dead by the time the buildings insurance premiums add up to the cost of repairs.
I did not have contents insurance. £1,500 for washing machine, fridge, a cheap bed and sofa etc. Now by the above logic I was lucky that my ~£4000 worth of computer equipment was fine because if I had relied on putting insurance premiums in an account it wouldn't have covered it by 3 years...
I have now lived here for 15 years. If I had lost my computer equipment and borrowed the money to replace everything with new high end kit from a loan shark then I'd have paid less than what insurance providers quote me for contents insurance. If I missed a payment then I would probably also get better customer service from the loan shark than I had dealing with that insurance company regarding the "high quality work" of their mandated contractors.
"the insurer will never make that money back."
They already did. From the many insured people who didn't have accidents. Insurance is socialised across all payers. At least for now. With "big data" and so-called "AI", it's becoming more and more targetted at the individual such that it could become unaffordable to anyone classed as "high risk". We are already seeing this happing now with drivers and car insurance.
When we bought our first house, we were required to arrange insurance as a condition of getting the loan (reasonable enough), and not having strong opinions we opted for the convenient option of arranging it through the lender's insurance arm as part of the settlement process. (We changed insurers later.)
About a week after we moved in, storm damage meant that part of the kitchen ceiling needed to be replaced. We were glad that we hadn't delayed on getting the insurance sorted out!
Well, there is that but your original post was more general.
While we know the industry has woken up to the potential golden opportunities, I think there is value in having our assumptions that we know what we're doing when it comes to security checked every now and then. But, having observed several negotiations and box-ticking exercises along these lines, I'd always recommend spending the money on pen-testing first to know where you really are vulnerable, especially new exploits for old software/practices become available. These can form the basis of any discussions, either with insurers, or with customers who expect it. Done well, it's like a checkup at the dentist and can be educational for all concerned
OTOH mindless box-ticking remains the most popular approach!
However, an endowment life insurance is a very good legal tax dodge. Hold the policy for 10 years and all proceeds are tax free, die before 10 years and the payout will be tax free and outside of the estate. The best policies (for investment) are those which had minimum life insurance (think funeral expenses) and allow "massive" contributions....
I'm glad I have insurance, because since I moved out of my folks house at the age of 18... I've had the following things happen
Had my flat burgled, insurance paid out almost 3k.
Dropped my first PC on a concrete floor, had my insurance replace it with a much better one.
Dog knocked over the very old 720p only LCD TV, insurance replaced it with an much nicer LED one
Idiot in a BWM tried to overtake me on the inside of a roundabout and turn left, insurance paid out £1458 for the car I paid £1050 for, let me buy it back for £220, and I spent £600 repairing the dinged door and wing, plus powder coated the wheels, added a reversing camera and came out with around £600 in my pocket.
Drunk/drugged up idiot in an Audi smashed into my car (and 3 others) whilst it was parked on the road, whilst visiting my parents, insurance paid out £2500 for a car I paid £1900 for, I picked up a newer identical one in the same colour, swapped over a load of the 'improvements' I'd made, inc the powder coated wheels and OEM spoiler I'd had done, stripped out some sensors from the engine bay and removed the sat nav system, headlights and drained the fuel tank before they took the car away.
I'm now in my mid 40's, I couldn't have survived the burglary in my early 20's when I had no money to replace anything, same with the PC. When my dog broke the TV, I'd given up work to help care for my dad as he had parkinsons and dementia... so I was living in near poverty for several years.
As for the 2 car incidents, not really an issue financially... I practised 'bangernomics' where I buy a luxury type of car for dirt cheap money that was at least 10-12yrs old with a 100k or so on the clock and keep it until it becomes uneconomical to repair any more. If you buy the right make/model, you're laughing (I stick with Honda for the ultra reliability, but almost any Jap brand will suffice providing the vehicles are built in Japan)... But the fact I paid £1050 for one, got almost £1500 payout, bought it back, fixed (that thing was like a tank) it up (profiting around £600), and then sold it for £750 a year later meant that cost of ownership for the 4yrs I owned it was negative £300. As for the 2nd car incident, I still have the replacement 5yrs later, it's still running well, and those spare parts I stripped come in very handy, the headlights for example swapped out as the others went foggy, and I'll refurbish those to sell, the satnav system was sold for £200 and I have spare air/fuel/egr sensors should any fail.
I don't mind paying for insurance.
It's not just betting against yourself, but betting that someone else may cause you loss.
If you look at the origins of fire and property in the insurance in the UK, you'll find the roots in a catastrophic event, The Great Fire of London. That event was caused by one person's mistake but it caused catastrophic losses to thousands. It's not like you could have even recovered those losses by suing Thomas Farriner, as the value of the losses far exceeded one individual's wealth.
> And it's an enterprise level, next-generation firewall?
Ummm, if it is deployed then that (by definition) makes it the current generation.
A "next generation" firewall can only exist in the R&D departments of firewall makers. And you definitely wouldn't want to be running one of those. Not until it gets released as a product and therefore becomes the new current generation.
The problem is that sometimes they baffle me.
Genuine question that a company I once worked for was asked by auditors - Do you have TCP?
After a very long pause wondering why this would ever be asked - Yes
The person asking just had no idea at all what questions would have been relevant to ask or how they should be worded.
We have annual audits and yes, attempting to baffle them is the only enjoyable part of that process.
There is always another question to answer.
After a while, I extend my response time to add long as possible knowing that the due date for the audit completion is coming up and they need to submit their findings by that date.
I was once asked, while being interviewed by my manager to-be for a position as network administrator, if I knew anything about TCP. I looked at him in a somewhat amazed way and said 'Yes, it's a requirement to be Cisco certified.'. He was the head of technical support and my certs were on my resume.
"Do you have TCP?"
With or without the IP?
We tried TP4 but it didn't have anyone to talk to so it was lonely.
I am very wary of nongs doing surveys obviously sent on fishing expeditions especially by new brooms trying to make their mark by finding synergies and efficiency dividends. Enough hells in this game with fresh ones.
This post has been deleted by its author
Slight deviation for the original BOFH password policy:
Sheer genius.
Somehow this episode reminds me of the time my wife was pissed off at the sysadmins at her work, because they wouldn't let her stick a post-it with her password on her computer monitor. The spoilsports!
She was quite offended when I heartily agreed with the sysadmins.
This post has been deleted by its author
Indeed. A home user can type the password from a poster hanging across the room and it will still be more secure than any office warrior with a 100 eyes/lenses on their hands when typing.
Most passwords are stolen using key-logging malware or retrieved from massive password leaks anyway (remember LastPass, or [breach of the month]). That is why world&dog wants everyone to use passkeys.
I usually create passwords, based on UK Railway Station Names, but for the last few years I've been using Bandname"LP Title"Year, while meeting the usual requirements.
Up until earlier this year when it came to changing the password, I used the same password while only changing when I hit the shift key (Must be said my password is actually half as long again as the minimum).
Then we moved to a new authenticator system, they gave me access as part of my support role to the authenticator password & I now just set myself the same password when it expires.
The recommendation for the last few years from several official bodies, including the German Federal Office for IT Security, is that as long as passwords are sufficiently complex, they shouldn't expire. This is because forcing people to renew often ends up encouraging bad practice, along with the lockouts by the usual suspects who changed passwords just before going on holiday…
Passphrases to generate mnemonics (Battery horse staple…), or stategies like yours are great for stems, but need extending with something service specific to make them both more complex and memorable.
Why use a mnemonic... why not just use the whole passphrase?
It's verging on criminal that touch typing isn't taught in primary schools alongside writing - or maybe a little later in primary school.
Typing words is generally faster than typing random strings, even if you know the string reasonably well, just because the letters are definitely the "focus" point of our keyboards, and we already have the muscle memory an patterns built in for typing words.
Wow - it's amazing how many more typos I made typing that sentence than I normally do...
I've started using patterns now that the company is demanding 15 characters with numbers, caps and special characters included. Come password reset time, I use the same pattern and just shift one key to the left for the first character. They get their security and muscle memory lets me "memorize" the line noise.
Password reset schedules are just dumb in the vast majority of cases.
I mean at least I can genuinely say that I have no idea what my password is, I know how I generate it though: "openssl rand -base64 21"
Then it lives in a password manager, and I don't touch it again until it's time to renew it, at which point I generate it and put it in a text document so that I can easily copy it to the dozen or so things which need it in the first two days. Then it can get scrubbed... but I don't yet have a password manager I can tell "all these things that you think are different are backed by the same SSO login, update them all at the same time".
In a previous job, all the server passwords were written down on small cards and placed inside one of those little cashboxes that was kept in the bottom drawer of my desk.
It was locked, obviously, but nothing a good screwdriver couldn't break open.
The reasoning of the person who suggested this was if ne'er-do-wells could get to the box it was already a security fail.
"Well, we don't put up floor plans of the data centre on the walls any more. And we've taken all the direction signs down".
"Yes, any intruder ignorant of the building layout would be at a distinct disadvantage."
"What? Security through obscurity is no security!"
"They'd need to know which corridor to go down."
"What door to open."
"When to duck."
The spouse once (late 90s, early 00s). worked in a financial institution where the policy required changing passwords (>8 chars, mixed case, digit+, special+) every few months but there wasn't a diktat about post-it notes. The staff in the department had long ago worked out that the system on recorded the last five passwords so each monitor had post-it node with a list of the six passwords they used cyclically. Was probably some DEC system with TCB.
At least recently the recommendations on password policy is a little saner.