Where SMEs get caught out
Most SMEs do not only use phone lines for phones. Legacy lines can quietly support alarm signalling, lift auto diallers, payment terminals, door entry systems, and backup connectivity. The uncomfortable moment comes during cutover, when a supplier ports your number successfully but the “small” line in the comms cabinet turns out to be tied to something business critical.
There is also a fraud angle that advisors increasingly see. If an attacker gains access to a cloud telephony admin portal, they can change call routing, set up call forwarding rules, or create new users. That can enable impersonation and invoice fraud, even if the rest of your IT looks reasonable. This is why sme cyber security best practices need to cover telecoms, not only laptops and email.
A practical, low drama plan that reduces risk
Start with clarity, not procurement. Create a single view of what will be impacted by the PSTN switch off, including any analogue dependent services. Once you have that list, you can make sensible decisions about what moves to VoIP, what needs a dedicated replacement service, and what can be retired.
Next, treat the move as a security change as well as an IT change. Use individual admin accounts, turn on multi factor authentication (MFA) for all telecoms and billing portals, and ensure logging is available so you can see who changed call flows and when. These controls are familiar and affordable; they align well with Cyber Essentials thinking around access control and secure configuration.
Finally, build in resilience. Agree a cutover plan with a rollback option, test inbound and outbound calling properly, and make sure someone can manage the system outside of office hours if you trade evenings or weekends. If you outsource IT, confirm who owns incident response for telephony. When something breaks, “not my contract” is not a strategy.
The compliance and governance angle for directors
If calls are recorded or call analytics include personal data, UK GDPR security measures still apply. You do not need perfection; you do need sensible supplier checks, least privilege access, and the ability to investigate incidents. NCSC guidance for SMEs repeatedly comes back to getting the basics right and making them routine. Apply that same discipline to your new voice platform and you will reduce risk while modernising.
Forward Thinking
SME Cyber Insights is tracking sme cybersecurity news and the knock-on effects of the PSTN switch off on SME cyber resilience. Subscribe for a practical readiness checklist you can share with your telecom’s provider, IT partner, and professional advisors before costs and timelines tighten further.
