What should small businesses do first? High-impact steps you can implement this week
Start with controls that reduce fraud and limit blast radius, without needing an enterprise budget:
1. Create a line and dependency inventory (60 minutes). List every PSTN-connected service: handsets, alarms, EPOS, entry systems, fax, lift lines, and auto-diallers. Note the owner, supplier, and renewal date. This stops “mystery lines” breaking on cutover day.
2. Lock down voice admin access. Turn on multi-factor authentication (MFA) for the voice portal and any Microsoft 365 or Google accounts used to manage it. Remove shared admin accounts; use named admins and least privilege.
3. Set call forwarding and international dial rules deliberately. Disable international and premium-rate dialling unless needed. Add alerts for changes to routing, admin users, and billing thresholds (most hosted voice platforms support this).
4. Add a simple fraud “call-back” rule for payments. For any change of bank details or urgent payment request, require a call-back using a trusted number from your CRM or supplier onboarding record, not the number in the email. This is cheap, fast, and highly effective against impersonation.
5. Plan for power and broadband failure. Digital voice may need power on-site. Put the router and any essential handsets on a small UPS, and set a fallback (mobile diversion, secondary broadband, or a pre-agreed manual process).
6. Treat voice logs as security data. Keep call detail records and admin audit logs. If a fraud attempt happens, these logs support investigation and insurer queries.
7. Align to recognised UK guidance. Use the NCSC Small Business Guide and Cyber Essentials controls as your baseline: secure configuration, access control, malware protection, patching, and firewalls. Map your voice platform into those same controls, not as a separate “telephony” island.
8. Remember UK GDPR security expectations. If calls involve personal data (appointments, payments, health details), ensure “appropriate technical and organisational measures” cover the new system, including access control, staff training, and incident handling.
Takeaways for SME cyber resilience
The PSTN switch-off is a forcing function. Done well, it improves capability and resilience. Done in a rush, it creates a new fraud and outage surface. Focus on identity security (MFA), tight admin control, payment verification, and basic resilience planning, and you will be ahead of most small firms.
Download or create a one-page “Digital Voice Cutover Checklist” and use it to run a 30-minute meeting with your IT supplier and finance lead, then assign owners and dates for the eight actions above.
