Home » Articles » What We Can Learn From Flood Insurance (And How It Helps Us Think About IT Security)

What We Can Learn From Flood Insurance (And How It Helps Us Think About IT Security)

by NITEC Solutions Business Development Director, Gavin Woods.

Those of you who regularly read my musings will probably be accustomed to some of these sideways ideas. The best way I can explain these is that when I attempt to understand a problem, these ideas help me to frame the discussion and grapple with a particular issue.

It wouldn’t be the first time that some of my little analogies miss the mark, but I like to think of myself as very rational. As a result, it jars when I see logic applied to one area and not to another. You know what I mean, the guy who can’t find a slot for a server reboot until next Thursday at 11pm but has no time to discuss disaster recovery.

HELLO! So, as we enter another story where you are probably asking, “What the blazes is he on about now?”, I hope by the end, between us, we will have shed some light on an area that probably gets very little of your brain time right now.

Picture this…

In the UK over the last decade or two we have gradually been building houses in areas that historically would have been considered flood meadows. If you went and asked the original farmer who owned the land he would probably say something like, “Honestly, I couldn’t believe anyone wanted to build anything there. We always called it Bog Meadow!”

As an aside, if you live in a street called Bog Meadow, it’s not called Bog Meadow for no reason. Sell! Now! While it’s dry. In fact, if it’s called Bog Meadow View, sell! That is estate agent speak for ‘slap bang in the middle of a river’ at some not too distant point in the future.

We all understand this problem, although we may not know how to explain it scientifically. In technical terms this is called recency bias. We tend to apply too much weight to recent data points. We think that an event that happens every 50 years is less likely to happen because it hasn’t happened in the last 20 years.

The thing is, for you to sell your house for a reasonable amount it’s a good thing if every insurer on the planet hasn’t worked out why your street was called Bog Meadow View and removed cover for flood risks from any policies. There is a problem with your house, it is likely to flood and all the insurance cover in the world is not going to help. You have a problem and you need to fix it. See Aquadam below.

This is a potential ingenious solution to this problem. You have to tip your hat to humanity. We are amazing.

So, how do you protect yourself?

I’m not going to bore you with numbers. I could, and I would probably enjoy it, but I hope you get the idea. We need insurance. Insurance is a good thing. But it is no substitute for active risk reduction techniques. Insurance works best when combined with good mitigation. The ability to pay for fixing your flood damage does nothing to compensate you for the mental anguish you have suffered.

It cannot replace the beloved picture of your granny who recently passed and it’s not going to compensate you for the difficulty of selling your home when it’s designated in a flood risk area.

Also, and more importantly for our little analogy today, after you have been flooded once the cost of getting insurance will rise and possibly, if not probably, be unavailable to you. So…. You are left with your thorny issue of “how do I mitigate my risks?”

This is the exact same issue we began with. Insurance is really only good when on balance of probability you don’t need it, and I have a premonition that this same story in IT is going to be played out many times in the years to come. The reality of insurance is that if on balance of probability you will need it, then on balance of probability you won’t be able to afford it.

IT Security

If I could trouble you to do a quick mental switcheroo. Your business is operating in a hostile environment. Every day an army of people are trying to breach your external defences and some of you are relying on breach insurance as your only mechanism to get by – this is a terrible idea.

You suffer from recency bias because you think that because you haven’t been breached yet you are less likely to be breached tomorrow. This, at least to my mind, is akin to building your house on Bog Meadow in the hope that a mixture of good luck and insurance will stop the floods when they come.

Also, when you get hacked, and you probably will at some point if your plan is to rely on insurance alone, finding breach insurance going forward will be about as effective as walking around looking for a date, ringing a bell and shouting ‘unclean’.

The takeaway then is you probably need insurance, but you need to pretend you don’t have it and start, if you haven’t already, making sure that your risk reduction measures are in place.

What risk reduction measures?

Well, I’m glad you asked. Next week we are going to start a series of discussions looking at exactly that. Most beneficial risk reduction techniques are simple, some are free, and some will cost you a bit.

As a bit of a taster, next we look at how to massively reduce your risk of sending money to fraudsters.

Spoiler alert: it’s basically free if a smidge annoying. Stay tuned.