Actionable guidance (prioritised for time-poor SMEs)
These are practical steps that map to Cyber Essentials-style baseline controls without needing an enterprise budget.
How should SMEs secure an embedded business number?
1. Treat the number as a privileged asset: decide who can provision eSIMs, port numbers, or change call forwarding; document it like you would a bank mandate.
2. Lock down account recovery: remove SMS resets where possible; use authenticator apps or passkeys for critical services; keep recovery codes in a secure vault.
3. Enforce MFA on the platform accounts: protect the banking app account and the email account it relies on; attackers usually start with credentials, not malware.
4. Stop “shared phone” habits: if the shop floor uses one handset, assume credentials will leak; instead, issue named logins and separate roles, even for micro-businesses.
5. Set a minimum device baseline: screen lock, auto-update, encrypted storage, remote wipe, and no sideloaded apps; your outsourced IT can usually apply this quickly.
6. Build a two-page incident routine: if a number is hijacked, you need a fast plan to freeze changes, contact the provider, alert the bank, and notify impacted clients where appropriate.
What should advisers tell directors to ask this week?
* “Who can port our business number, and how do we prove it is us?”
* “Which systems still use SMS codes, and can we replace them?”
* “If a director’s phone is stolen tonight, what exactly happens tomorrow morning?”
The control themes above align with NCSC advice for small organisations: prioritise strong authentication, secure devices, and sensible admin control because common attacks target logins and user behaviour. They also support Cyber Essentials outcomes around access control, secure configuration, and malware protection, without turning your business into a compliance project. For personal data in business comms, the ICO is clear that UK GDPR requires security appropriate to the risk, which includes controlling access and reducing accidental disclosure.
SME Takeaway
Run a 20-minute “number takeover drill”: list every service that sends login or payment codes to a phone number, then replace the highest-risk ones with app-based MFA and locked-down admin rights.
