Episode 7 "… and you have user education?" our visitor asks.
"Indeed we do," the PFY responds.
"Though I see you've had a reasonably high turnover of staff in recent years."
"Yes – but that's mostly a byproduct of the user education," the PFY comments.
"No, I mean that you have a high user turnover, so education must be a burden. Tensions must run high at times."
"It's a challenge, but we find it best to bury the hatchet in a lot of cases. Get in early before things get out of hand."
"An admirable position to take."
"True enough," I reply. "And oftentimes we find the users that leave us end up becoming an integral part of other companies."
"Foundation users, you might say," the PFY says, no doubt thinking of some of our late-night cement pours.
"Other times," I add, "we seem to be the only ones who can see a user's potential and the impact that they might make. Sometimes they don't even know themselves. It's amazing what a difference you can make in their lives with a nudge in the right direction."
"Some companies would just show them the door," the PFY says. "But that's not our way."
"Not with a perfectly serviceable window," I add.
A meeting with the Company Insurer is one of those tasks which comes up every couple of years or so, but with the "newly" perceived threat of encryption ransomware, the visits have ramped up somewhat and the questions a lot more verbose.
- BOFH: I'm so pleased to be on the call, Boss. No, of course this isn't a recording
- BOFH: But we think the UK tax authorities would be VERY interested in how we used COVID support packages
- BOFH: Postman BOFH's Special Delivery Service
- BOFH: Bullying? Not on my watch! (It's a Rolex)
- BOFH: 7 jars of Marmite, a laptop and a good time
- BOFH: Are you a druid? Legally, you have to tell me if you're a druid
That said, the cyber insurance game seems to be a massive rort – with caveats and clauses to shift blame back to the insured in the event of a claim. You're only likely to get a pay-out during an eclipse, when Mercury is in retrograde, your users have no access to the internet AND it's the 30th of February.
Yet even though the payout is less reliable than a VW emissions test, still everyone wants cyber insurance.
"Just answer the questions!" the Boss prompts.
"What's next?" I ask, cheerily.
"Can you outline your backup regime?"
"Cloud mirroring, daily snapshots, versioned incrementals."
"Do you run a hot site?"
"Not since they installed sprinklers," the PFY chips in.
"No offsite backups or cold sites?" he continues.
"What about hardware? Do you perform inventory stocktakes?" he asks.
"Been doing that for years," I reply, "usually at night. Sometimes I have to bring a van in."
"I … uh … mean do you track inventory? Do you erase computers once they're no longer of any use?"
"Computers, phones, people."
"Uhhhm. What about portable hard drives and personal computers? Do you permit users to bring them in?"
"Strangely, they stopped bringing them in around the same time we started bringing hammers in. It's probably just a coincidence."
"Remote access. Can people access the work data from home?"
"You … have been around for the past year?"
"Yes, yes, I understand the whole lockdown thing, but I have to ask all the questions on the list – and as I'm new to the company I need to follow the guidelines to the letter."
"Well you know what they say," I chirp, "you only sell IT insurance twice in your career: once on the way up and once on the way down. So I guess I should say WELCOME BACK!"
"What's your password policy?" he continues, ignoring me.
"Don't ask, don't tell."
"Don't ask us to relax the password policy and we won't tell you to sod off."
"Have you had any notifiable intrusions in the past?"
"The Boss walked in on me while I was on the toilet last week," the PFY says, "but it was a faulty cubicle latch. At least he said it was a faulty cubicle latch …"
The Boss has the decency to look a little embarrassed while our insurance guy presses on – no doubt making a mental note to ramp up the premium on any personal grievance cover we might have.
"Have you or your staff had any loss due to social engineering?"
"No, but we have had a bunch of it due to structural engineering. Apparently our staircases are rather slippery."
"Any history of workplace bullying, any negative workplace environment complaints or any reason why staff might bear a grudge against you or your computer systems?"
"Well there's a couple of complaints about staff being run down."
"Staff feeling run-down?"
"No, no, staff being run down. I couldn't find the hatchet," the PFY says.
"I … uh …"
"Look," I say, "we've all got a job to do. Part of ours is making sure that all our users make the best of our limited resources, and part of yours is making it down that slippery staircase – or the lift with the dodgy brake system. So why don't we just agree that we're an OK risk, that you'll waive the premium this year, and that your impact on the world will be limited to IT insurance planning and not the footpath outside that window?"
And just like that, we have an agreement which is worth every penny we paid for it.