Cybersecurity Basics for a Roofing Business: 2FA, Password Managers, Ransomware

You are not too small to be a ransomware target. In 2027, over 35 percent of ransomware attacks hit businesses under 100 employees. Roofing contractors are attractive targets: customer financial data, W-9s from subcontractors, insurance claim PII, and bank login credentials sit in email inboxes and file servers.

The good news: 80 percent of attacks are preventable with basics. Here is the roofing-operator version of a cybersecurity plan.

Tier 1: Two-Factor Authentication on Everything

2FA on email is the single highest-leverage security move you can make. 70 percent of small business attacks start with a compromised email account.

Enable 2FA on:

• Email (Google Workspace, Microsoft 365, whatever you use)
• CRM (Acculynx, JobNimbus, RoofKnockers, etc.)
• QuickBooks Online
• Bank accounts
• Payment processor (Stripe, Square, etc.)
• Domain registrar
• Cloud storage (Dropbox, Google Drive)

Use an authenticator app (Google Authenticator, Authy, Microsoft Authenticator). SMS 2FA is better than nothing but is vulnerable to SIM swap attacks.

Tier 2: Password Manager

Your team is using the same 3 passwords on 40 different websites. This is the second biggest attack surface. A password manager generates unique 20+ character passwords and remembers them for the team.

ToolPricing 1Password Business$8/user/mo Bitwarden Business$3 to $5/user/mo Dashlane Business$8/user/mo LastPass Business$7/user/mo

1Password and Bitwarden are the leading choices. 1Password is polished, Bitwarden is open-source and cheap.

Tier 3: Backup Strategy

If ransomware hits, your recovery plan is restoring from backup. No backup means paying the ransom or losing everything.

The 3-2-1 rule:

• 3 copies of your data
• 2 different storage media
• 1 offsite copy

For a roofing contractor:

1. Primary: Your CRM (RoofKnockers, Acculynx, etc.) stores your customer and job data in cloud with their own backups
2. Secondary: QuickBooks Online has its own cloud backup
3. Tertiary: Local file server with weekly backups to a cloud provider (Backblaze at $7/mo, Wasabi, or AWS S3)

Test backups quarterly. An untested backup is not a backup.

Tier 4: Employee Training

Phishing emails trick 1 in 8 employees on average. Training cuts that to 1 in 50.

Low-cost training tools:

• KnowBe4: $20 to $45 per user per year, simulated phishing and training
• Hook Security: $12 to $25 per user per year, similar
• Microsoft Attack Simulator: free with Microsoft 365 Business Premium

Send a simulated phishing email every month. Whoever clicks gets the 10-minute training video. Repeat offenders get a one-on-one conversation.

Tier 5: Email Security

Beyond 2FA, harden email with:

• SPF, DKIM, DMARC: DNS records that prevent attackers spoofing your domain
• Attachment scanning: Microsoft Defender and Google Workspace have this built in
• Phishing filter: included in most business email tiers
• Forwarding alerts: notification when someone sets up auto-forward rules (classic attacker persistence trick)

Tier 6: Endpoint Protection

Every employee laptop and office computer needs endpoint protection. Options:

• Microsoft Defender (included with Microsoft 365 Business Premium)
• Bitdefender GravityZone ($30 to $50 per endpoint per year)
• CrowdStrike Falcon ($60 to $150 per endpoint per year, enterprise-grade)
• SentinelOne ($60 to $100 per endpoint per year)

Tier 7: Sensitive Document Storage

W-9s, signed contracts, insurance claim documents. These are high-value targets. Storage rules:

• Never store in open email folders
• Store in a dedicated encrypted folder in your CRM or document management system
• Limit access by role
• Purge documents after legally required retention (7 years for tax documents in most states)

Ransomware Response Plan

If ransomware hits:

1. Disconnect: Unplug affected machines from the network immediately
2. Do not pay: Contact FBI IC3 (ic3.gov) and your cyber insurance first
3. Contain: Identify scope (how many machines, what data)
4. Restore: Rebuild from backups on clean hardware
5. Notify: If customer PII was exposed, notify customers per state law
6. Report: Cyber insurance, FBI, state AG

Budget for the post-attack bill: $50K to $250K even for a small business, mostly in downtime, forensics, legal, and notification.

Cyber Insurance

A $1M cyber liability policy runs $1,500 to $5,000 per year for a small roofing contractor. Covers:

• Ransomware payment and negotiation
• Forensics investigation
• Customer notification costs
• Legal defense
• Business interruption

Underwriting is getting tighter. Carriers now require 2FA, backups, and endpoint protection to issue policies.

Wi-Fi and Physical Security

• Separate guest Wi-Fi from employee Wi-Fi
• Change default router passwords
• Lock the office server room or locate equipment out of sight
• Require screen lock on all employee devices (5-minute timeout)

Subcontractor Data

You hold W-9s for subcontractors with SSN or EIN. You are responsible for protecting this data under IRS rules. If you store W-9s:

• Keep them in an encrypted folder
• Limit access to accounting staff only
• Purge after 7 years (legal retention)
• Do not email them around internally

RoofKnockers Security

RoofKnockers uses 2FA, encrypted data at rest, role-based access, and audit logs. Customer PII and contract documents are not sitting in email. See features or jump to sign up.

Related Reading

• E-Signature Tools for Contracts
• QuickBooks Setup for Roofing

FAQ

Q: Are we really a target at 8 employees and $800K revenue?

A: Yes. Attackers automate. They are not picking you specifically. They are running phishing at 10,000 businesses and working the ones who click.

Q: Can we just outsource all this to an MSP?

A: Yes, at $100 to $300 per endpoint per month. An MSP handles the implementation and monitoring. You still own policy and training.

Q: What is the single most important thing we should do today?

A: Enable 2FA on your primary email account. Takes 5 minutes. Blocks 70 percent of attacks.