Article cybersecurity

HVAC Contractor Cybersecurity: The Uncomfortable Conversation

If you're an HVAC contractor and you've never thought about cybersecurity, this is for you. The realistic risk, what underwriters now require, and what to actually do.

If you run an HVAC business and you’ve never seriously thought about cybersecurity, you’re not unusual. You’re also at risk. The same is true if you’re a plumber, an electrician, a mechanical contractor, or any other specialty trade. Here’s the conversation you probably wish someone would just have with you, without the FUD and without the pitch.

Why HVAC and the trades got on the radar.

A few years ago, if you’d told an HVAC owner that ransomware operators would specifically target his business, he would have laughed. Why bother? There are bigger fish.

That logic stopped working around 2022. What changed: ransomware became a volume business. Operators learned that specialty trades have three useful properties: critical operational data on local networks, insurance that will pay claims, and intense seasonal pressure (peak summer for HVAC, winter for heating, spring for new construction) when downtime is unacceptable.

So they get hit, not because someone targets them by name but because automated tools find them. Once they’re in, the operational pressure makes ransom payments more likely than they would be at, say, a law firm with the same revenue.

What the actual attack looks like.

The pattern is depressingly consistent. A spear-phishing email lands in a service manager’s inbox. It’s a fake invoice, a fake delivery notice, or an internal-looking message about benefits. Someone clicks. Credentials get harvested or a remote-access tool gets installed. The attackers spend a few days exploring the network quietly. Then on a Friday afternoon (or right before a holiday weekend) they encrypt everything.

Monday morning: dispatch can’t see service tickets. The accounting database is unreachable. The phones ring while the office staff stares at frozen screens. The ransom note demands $80,000 in Bitcoin.

This isn’t a hypothetical. It happens to specialty trade businesses across the country, several times a week.

What cyber insurance underwriters now require.

Five years ago, a cyber insurance policy for an HVAC contractor was a one-page rider on a general liability policy. Today it’s a real product, with real underwriting, and the questionnaires are getting longer. Underwriters now expect:

Multi-factor authentication on every account that matters. M365, accounting, line-of-business apps, VPN. No exceptions for the owner.

Endpoint detection and response (EDR) on every workstation and server. Traditional antivirus alone is not enough.

Email security beyond what M365 includes by default. Anti-phishing, impersonation protection, attachment and URL scanning.

Backups that are tested, not just configured. Tested with actual restore tests, documented.

Security awareness training for staff. Quarterly is the typical expectation.

A documented incident response plan.

If you can’t show these, you’re either getting non-renewed or paying significantly more. The coverage exclusions you might accept instead effectively defeat the point of the policy.

What to actually do.

If you’re starting from a typical small contractor IT setup (one or two servers, M365 for email, antivirus on the workstations, whoever set it up isn’t really managing it anymore), the priority order is roughly this:

  1. Turn on MFA everywhere it isn’t already on. M365 first, then accounting, line-of-business apps, and VPN. Skip the user pushback. The small inconvenience is worth the protection.

  2. Replace antivirus with proper EDR. Most quality MSPs include this in their managed services. If yours doesn’t, ask why.

  3. Test your backup. Don’t just check that it ran. Have someone restore a file and confirm it works. Then have them restore an entire server image to a test environment and confirm that works too. Most backups fail their first real restore test.

  4. Get email security configured. Anti-phishing, impersonation protection (especially for executives and accounting staff), attachment and URL scanning. Available as part of M365 if you’re licensed correctly, or through third-party tools.

  5. Run security awareness training and a phishing simulation once a quarter. Track the click-through rate. Spend extra time with the people who keep clicking.

  6. Write down your incident response plan. Even a one-page document is better than nothing. Who do you call, and what do you do first? What’s the order of operations?

None of this is exotic. None of it requires a six-figure investment. It does require attention, and someone has to own it.

If your IT person says you don’t need this.

That’s a problem. The cybersecurity baseline for small businesses moved over the last few years, and IT people who haven’t kept up are giving outdated advice. If your current IT support is still saying things like “antivirus is enough” or “we don’t really need MFA, it’s a hassle for the team,” you need a different conversation.

Either with them, about why their thinking is dated. Or with someone else.

Curious where you stand?

If you want a quick read on where your business stands today, we offer a free Cyber Score assessment. It takes about five minutes and doesn’t require a sales call. You get a baseline for the conversation, whether the next conversation is with us or with whoever you’re already working with.

If you’d rather just have the conversation: book a 30-minute discovery call. We’ll walk through your current setup and what you actually need. Where the gaps are usually becomes obvious in that conversation.

Author

John-Mark Smith

Founder of CoreSouth Systems. CoreSouth provides managed IT, co-managed IT, cybersecurity, and Microsoft 365 services to owner-led businesses across Middle Georgia.

Recent posts

Ready to talk?

The next step is a conversation. We'll walk through your current setup and what you actually need.

Talk With A Local IT Expert