Cybersecurity Checklist for Home Services & Handyman Businesses
Cybercrime isn't just for big corporations; it targets independent contractors, electricians, painters, and remodelers because you're often busy on job sites and have less time for security. Protecting your client's addresses, payment info, and your business's finances is critical. You don't need an IT team to be safe. You need about four hours and a simple plan. Here's a direct, ranked list of what truly matters to keep your home services business secure.
READY TO TAKE ACTION?
Use the free LaunchAdvisor checklist to track every step in this guide.
The quick answer
The five steps that prevent 90% of breaches for home service pros: use a password manager with unique passwords for *every* app and supplier account, enable two-factor authentication on *your main business email and payment accounts*, train yourself (and any helpers) to recognize fake job inquiries or supplier emails, keep your phone and laptop software updated, and back up your client photos and financial data automatically. Everything else on this list is secondary to those five.
1. Password manager and unique passwords
Every business account should have a unique, strong password. This includes your scheduling software (like Jobber, Housecall Pro, ServiceM8), accounting platform (QuickBooks Online), supplier accounts (Home Depot Pro Xtra, Sherwin-Williams Pro), banking, and even your website's login. Reusing passwords is how hackers get into your other accounts once they get one. Set up a password manager like 1Password, Bitwarden, or Dashlane first. It takes about 30 minutes to set up and protects all your service-related logins.
2. Two-factor authentication on critical accounts
Turn on 2FA for: your primary business email (like Gmail or Outlook), your domain registrar (GoDaddy, Namecheap), your bank, your payment processor (Square, Stripe), your cloud storage where you keep project photos or client info (Google Drive, Dropbox), and any app that manages your job scheduling or client details. Use an authenticator app (Google Authenticator, Authy) instead of getting codes via text message (SMS) whenever you can. SIM swapping, where criminals trick your phone company into giving them your number, makes SMS less secure.
3. Phishing awareness
Most hacks for small contractors start with a fake email or text. It might look like a new job lead, a supplier invoice, or an urgent message from your bank. These messages try to get you to click a bad link or open a virus. Look for: a rush tone, weird requests for your login details or quick payments, or email addresses that are slightly off (e.g., "support@jobberr.com" instead of "support@jobber.com"). Before clicking any link, hover your mouse over it to see the real address. If in doubt, go directly to your bank or app's website instead of clicking the link in the email.
4. Automatic backups
Imagine a ransomware attack encrypts all your project photos, client lists, and invoices. The only reliable way to recover without paying criminals is clean backups. Use a separate backup service like Backblaze Personal Backup ($9/month) or Backblaze Business Backup for your main computer. These services continuously back up your files to a secure location that hackers can't easily reach. Remember, simply storing files in Google Drive or OneDrive isn't a full backup solution against ransomware – those files can often be encrypted too. You need a dedicated backup system for your critical business data, like blueprints, client contracts, and financial records.
5. Software updates
Running old software on your laptop or smartphone is like leaving your tools out on a job site overnight. Most hacks exploit known weaknesses in software that could have been fixed by a simple update. Turn on automatic updates for your computer's operating system (Windows, macOS), your phone's operating system (iOS, Android), your web browser, and any business apps you use (QuickBooks, Jobber, specific vendor apps). This closes the common doors hackers try to walk through.
6-10. Additional measures by risk level
6. **Separate work and personal devices when possible.** If you can, use one phone or tablet just for business calls, client photos, and job scheduling, and another for personal use. This keeps client data separate from your personal life and reduces the risk if one device gets compromised. 7. **Use a VPN on public networks.** When you're quoting a job at a coffee shop or using a customer's guest Wi-Fi, your data could be vulnerable. A Virtual Private Network (VPN) encrypts your internet traffic, protecting your sensitive information like payment processing or accessing client files. 8. **Enable remote wipe on business laptops and phones.** If your business laptop or the phone with your job schedule and client addresses gets lost or stolen, remote wipe lets you erase all data from it from another device. Set this up through your phone's settings (Find My iPhone, Find My Device for Android) or your laptop's OS. 9. **Create a simple incident response plan (who to call if you are breached).** What if your scheduling app is locked, or client data is compromised? Know who you'll call: your internet provider, your bank's fraud department, or a local IT consultant specializing in small businesses. Don't wait until it happens. 10. **Review account access quarterly — revoke access from former contractors and employees immediately when they leave.** If you've had a helper, a temporary office assistant, or a subcontractor use your business accounts (e.g., shared login for a supplier website, access to your scheduling software), remove their access the day they finish. Unused access is an open door.
RECOMMENDED TOOLS
1Password Business
Password management + breach alerts for teams
Bitwarden
Free password manager — no device or password limit
Backblaze
Automatic computer backup for $9/mo
Some links above are affiliate links. We may earn a commission if you sign up — at no extra cost to you.
FREQUENTLY ASKED QUESTIONS
Do I need to buy cybersecurity insurance?
Cyber insurance is worth considering once you handle customer payment data, store significant customer personal information, or your business operations are heavily dependent on digital systems. For a simple service business with minimal data, your time is better spent on prevention. For any business handling healthcare, financial, or legal data, cyber insurance is essential.
What is the most common way small businesses get hacked?
Phishing emails that trick employees or owners into revealing credentials. Business email compromise (BEC) — where an attacker impersonates a vendor or executive to redirect payments — is particularly damaging and increasingly common. Both are primarily prevented by 2FA and training, not software.
How would I know if I had been hacked?
Common signs: unusual account activity, colleagues receiving emails you did not send, unexpected password reset requests, unfamiliar logins in your account activity log, unexplained charges. Run a breach check at haveibeenpwned.com for your business email addresses.
Apply This in Your Checklist