By integrating Microsoft 365 products into the software company’s platform, Zendesk customers can access Agent 365 capabilities for intelligent productivity. 

In turn, Microsoft has implemented Zendesk Agent within 365, allowing its customers to access tools to enhance service productivity and workflow efficiency. 

Craig Flower, Chief Information Officer at Zendesk, highlighted how the partnership expansion would improve Zendesk’s ability to deliver a superior customer experience. 

“Our collaboration with Microsoft on Agent 365 and Zendesk Agent for Microsoft 365 Copilot is a pivotal moment for Zendesk,” he explained. 

“This collaboration not only solidifies our position as a leader in enterprise AI automation but also ensures that Zendesk remains at the forefront of the evolving digital worker landscape.  

“By integrating with Agent 365 and Microsoft 365 Copilot, we are empowering our customers with both autonomous and streamlined support capabilities, optimizing operations, and ultimately delivering a more efficient and reliable employee experience within Microsoft 365.” 

Improving Service Experience 

This partnership aims to upgrade small business experiences by implementing both tools to generate tailored needs. 

By establishing Microsoft Agent 365 within Zendesk’s platform, the AI offers autonomous ticket management support for Zendesk’s customers for reduced human intervention. 

These capabilities include ticket creation, handling, status monitoring, and communication management within Microsoft’s environment to ensure data governance requirements are met. 

This allows human service agents to shift away from constantly reviewing routine queries and return to high-demand, complex tasks. 

In return, Zendesk Agent has been integrated into Microsoft 365 Copilot to support its core apps with ticketing capabilities, such as ticket submissions, status monitoring, and following up tasks without the need to switch tools. 

Similar to the first integration, this capability is managed within Microsoft’s environment, resulting in limited friction for tool management and deployment.  

As a result of the integration, agents can experience direct AI-assisted support in several routine task areas, resulting in higher responsiveness, resolution, and reduced waiting times. 

This AI integration allows smaller businesses to elevate their service demands to the level of any well-established company, including delivering higher productivity and service levels. 

By implementing these tools directly within a business, teams can manage their workflows effectively without agent intervention. 

Furthermore, both tools offer customers secure and compliance management for handling adoption risk within a governed ecosystem. 

Targeting The Small Business Market 

The integration follows a similar trend in recent months of larger vendors trying to dominate the small enterprise customer corner by offering tailored products and services to fit their needs. 

Earlier in November, Zoom had secured its commitment to providing service capabilities to companies of various sizes with simple, straightforward tools to enhance their businesses. 

The communications giant notes how businesses with smaller teams require different demands than larger ones, forcing some to juggle various workloads across the board to keep up with demand. 

This means vendors will need to personalize their tools and approaches to cover more ground and advance these smaller businesses to the industry standard. 

This has been a well-documented issue in the CX industry, as various companies have recently eliminated support for enterprise customers that don’t meet their size standards. 

Unfortunately, some customer enterprises that are unable to provide businesses with desirable profit results may be asked to cancel their subscription if the company can no longer provide the services needed or intend to solely focus on its largest customers. 

However, companies such as Microsoft and Zendesk have offered support for this neglected market, supplying these customers with both tools to elevate their teams while prioritizing their unique requirements. 

Srini Raghavan, Corporate Vice President for Microsoft Copilot and Agent Ecosystem, explained how the tool collaboration will offer these enterprise customers support across a range of business needs, and allow them to elevate their issue resolutions even at their current capacity. 

He said, “AI is transforming how organizations deliver employee service, and Microsoft’s collaboration with Zendesk is leading that change by enabling a new era of intelligent support. 

“We’re combining the power of Microsoft 365 Copilot’s intelligence with Zendesk’s modern service platform, enabling employees to resolve IT, HR, and Finance issues seamlessly within the tools they use every day.” 

Digital sovereignty, the ability for an organization to maintain clear control over how its data is stored, accessed, and governed, has moved from a technical concern to a board-level priority. As organizations expand their digital footprints and accelerate cloud adoption, rising regulatory scrutiny and growing customer expectations are forcing businesses to rethink how they manage data.

Sovereignty means different things to different people, the panelists noted, but the common thread is the need to take control over customer data, which has become essential to maintaining trust. The pressure to demonstrate that control is now shaping transformation plans, vendor choices and long-term customer experience strategies.

Control of Critical Data Is Becoming a Strategic Must

The energy crisis following the invasion of Ukraine exposed the geopolitical dimension of critical infrastructure, reinforcing the need for systems that can operate independently in extreme circumstances.

“Digital sovereignty is about stability and resilience,” said Julia Weberberger, Head of Corporate Strategy at Energie AG Oberösterreich, describing it as a source of power. “[W]e have to make sure that we operate our critical data on our own. We operate our own data center, with emergency power supply, and rely on a multi-provider strategy to create redundancies… It’s also very important that we build expertise in digital sovereignty in Europe, but also within our company.”

Europe is developing a new mindset built on innovation and security, Weberberger said, shaping companies, knowledge, opinions and even social narratives. In this environment, European data sovereignty is becoming a key strategic concern that requires balance.

As Martina Saller, Public Sector Sales Lead at Microsoft Austria said:

“It’s not a black and white discussion. It’s not about choosing the path of sovereignty or choosing the path of innovation. It’s about balancing and orchestrating… a risk-based approach.”

That layered approach should separate highly sensitive workloads from those suited for cloud-based innovation.

Public administrators highlighted that sovereignty is multidimensional: technical, legal, economic and emotional. What customers want above all is visibility and choice. As one leader emphasized, beyond control over data processing and storage, true sovereignty also means being able to choose the parts of a technology package they need rather than being required to buy licenses for bundles, which drives up costs.

Procurement rules, however, are still playing catch-up. With different requirements scattered across the EU, organisations often end up doing the same work multiple times. A more unified approach that allows for shared certifications and tech that plays nicely across borders would make it easier for businesses and public bodies to build modern, sovereign digital systems. And to make sure those sovereignty rules help innovation instead of getting in the way, organizations say they need clear guidance and strong partnerships with their tech providers.

What Customers Need from Cloud Partners

A recurring message throughout the discussion was that sovereignty cannot be achieved in isolation. Customers expect their cloud partners to help them meet changing regulatory, security and operational demands.

As Norbert Parzer, Certified Public Accountant, Tax Advisor and Partner at EOS put it, “first find the companion before you start the journey.”

To address concerns around extraterritorial data access, Jeff Bullwinkel, VP and Deputy General Counsel, Corporate External and Legal Affairs at Microsoft EMEA, detailed the steps the vendor has taken to provide assurance and legal protection.

The tech giant has built the EU Data Boundary for the Microsoft Cloud to “mitigate the risk, or reduce the surface area of risk by just reducing situations in which data is transferring from one continent to another.”

Just as crucial is Microsoft’s assurance that it will resist demands from governments to divulge customer data, Bullwinkel said:

“When Microsoft gets a request or a demand in order for data from any government around the world, we have a contractual obligation to litigate against that order whenever there’s a lawful basis for doing so. And we have quite a history of doing that…with a view toward guarding against that kind of risk and so we will continue in the future as well.”

Microsoft has also expanded its sovereign controls and confidential computing to ensure that customers hold the keys to their data.

The vendor recently announced expanded capabilities for its Sovereign Public Cloud and Sovereign Private Cloud. By the end of this year, customers in four countries—Australia, the United Kingdom, India and Japan—will have the option to have their Microsoft 365 Copilot interactions processed in-country. This will be expanded to 11 more countries in 2026: Canada, Germany, Italy, Malaysia, Poland, South Africa, Spain, Sweden, Switzerland, the United Arab Emirates, and the U.S.

These capabilities directly address customer expectations for operational autonomy and regulatory compliance.

Partnerships help empower organizations to keep control over their processes and architecture, so that digital transformations are secure and interoperable. Organizations across sectors are embracing AI, but they need to be sure that the models they use preserve transparency and control.

“There are many areas we see it’s important to have a good collaboration. And for that, trust is… obligatory. It’s the absolutely necessary thing. And it cannot just be a marketing promise,” Weberberger said.

The use of large language models (LLMs) raises critical questions when it comes to maintaining control over customer data, Weberberger noted, highlighting the need for transparency around who trains the data, who defines which information AI models are allowed to use, how ethical principles are implemented and who has the control and influence over the models.

“We need answers in the future when it comes to… how these LLM models are trained. Many providers tell us ‘we don’t use the customer data to train our LLM.’ But for us, still, the question remains, but how do the providers develop their LLMs when they don’t use the customer data to train them? Here we need clear agreements that we all know how it works, and openness to trust.”

For critical sectors like energy, innovation must align with stringent risk-management requirements without compromising safety or resilience.

Data Sovereignty as a Shared European Project

Panelists underscored the need for different regulators in Europe to get on the same page when it comes to digital rules, to create a clearer, more unified set of standards that works in practice and gives organizations the confidence to keep innovating.

“Policy makers and industry representatives should work together on defining clear, understandable and practical frameworks, which has not always happened in the past,” Parzer said.

“It’s about establishing certainty for market participants at the end… They should understand that innovation is not a luxury. It is just an enabler for our economic growth and insurance for our future. So it is all about defining rules that are going to balance innovation with compliance.”

And when those standards line up, it doesn’t just cut down on compliance headaches — it makes it easier for governments and regulated industries to embrace AI and cloud tools, giving them the guardrails they need to move ahead with confidence.

The conversation made one point clear: sovereignty is no longer a static concept. It is a shared responsibility shaped by policy, technology, and partnership. Customers expect cloud providers not only to deliver secure platforms, but also to collaborate, openly and continuously, on the frameworks, tools, and governance models that will define Europe’s digital future.

As the panel demonstrated when customers, policymakers, and technology providers align around transparency, control and trust, Europe can innovate at the pace required to remain resilient and competitive.

“I think we cannot expect this topic is going to go away,” Bullwinkel said. “These things are front of mind, absolutely, for our customers, for our partners, for government leaders… Things we’ve been talking about… around data privacy, around data security, around resilience, around data residency, these are all things that will continue to inform the conversation.”

On November 9, 2025, Mixpanel notified OpenAI that an attacker had gained unauthorized access to part of its systems and exported a dataset containing some customer information and analytics data related to the API. Mixpanel shared the affected dataset with OpenAI on November 25, the company stated in a blog post.

The breach occurred within Mixpanel’s systems and there was no unauthorized access to OpenAI’s infrastructure and systems. ChatGPT and other OpenAI products were not affected. “No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed,” Open AI stated. It also confirmed that session tokens, authentication tokens, and other sensitive details for OpenAI services were not involved.

But Mixpanel’s systems had access to user profile information from platform.openai.com⁠. According to OpenAI, the information that may have been affected included:

• Users’ name and email address
• Operating system, browser and location (city, state, country) used to access the API account
• Referring websites
• Organization or User IDs associated with the account

OpenAI has removed Mixpanel from its production services and said it is working with the company as well as other partners to gauge the scope of the incident and determine whether any further response actions are needed. It is in the process of directly notifying the organizations, admins and users that were affected by email.

“While we have found no evidence of any effect on systems or data outside Mixpanel’s environment, we continue to monitor closely for any signs of misuse,” the post stated.

The incident is a reminder that exposure of non-critical metadata can introduce security risks, and sharing identifiable customer information with third parties should be avoided. As Ron Zayas, Founder and CEO of Ironwall by Incogni, told CX Today in a recent interview:

“The smart play is to learn how to sanitize your data. You don’t have to share 100 pieces of information on one of your customers with an outside company. It’s stupid. Why are you sharing all that customer information?”

Enterprises often underestimate the value of metadata to attackers, as it doesn’t contain critical information like customers’ login credentials or payment details. But malicious actors use the information to create credible phishing or impersonation campaigns, which are becoming an effective way to deploy ransomware attacks through social engineering.  Having a person’s real name, actual email address, location, and confirmation that they use OpenAI’s API makes malicious messages look far more convincing.

OpenAI acknowledged this in the blog post, advising its API users:

“Since names, email addresses, and OpenAI API metadata (e.g., user IDs)  were included, we encourage you to remain vigilant for credible-looking phishing attempts or spam.”

Users should “[t]reat unexpected emails or messages with caution, especially if they include links or attachments. Double-check that any message claiming to be from OpenAI is sent from an official OpenAI domain,” the post added. It also encouraged users to protect their account by enabling multi-factor authentication “as a best practice security control” and noted that OpenAI doesn’t request credentials such as passwords, API keys or verification codes through email, text or chat.

Complex AI Stacks Open More Ways In for Attackers

As with recent cyberattacks exploiting third-party platforms, the incident serves as a reminder that API-based architectures will only become more vulnerable with the use of AI in enterprises. AI systems are too complex for most companies to develop in-house, so they build stacks of third-party tools using APIs, all of which collect operational metadata and open up more attack vectors.

While vendors and enterprises are tempted to collect as much customer information as possible to train AI models as well as deliver personalization, they need to be judicious in the types of information they collect and store, Zayas said, as the risk of data breaches in the AI era will become “much more significant.”

“Companies are opening up all of their data and feeding it to an AI engine. And how secure are the AI agents? They’re led by big companies, but big companies get breached all the time.”

Zayas warned that the major AI and cloud providers like OpenAI, Google and AWS will become increasingly vulnerable as hackers target them for their wealth of data:

“When your data is sitting there, you’re going to get attacked. If I can pull out information… from an AI provider, I am going to get so much rich data that I don’t have to worry about attacking a lot of companies… That’s where companies and criminals are putting all their time and effort—going to the big ones. If you’re giving them data, you are much more of a target.”

Enterprises need to get smarter about the data they share with AI tools to get the outcomes they need. Customers’ personally identifiable information can often be removed to anonymize the data without affecting how the tools work, Zayas noted.

“You’re going to see the breaches being more and more related to the amount of information that’s coming out with AI, the amount of information that’s being enriched, and companies are going to suffer from this.”

Enterprises also have to train employees to avoid carelessly uploading spreadsheets and other files to chatbots like ChatGPT, because even if a company’s systems aren’t hacked, malicious actors may be able to extract customer information using certain prompts.

As the adoption of AI tools accelerates, enterprises should treat every handoff to an AI provider as a potential point of exposure of their customer data. Limiting the amount and sensitivity of information sent to these systems and designing workflows that avoid unnecessary data transfer can reduce the impact of a breach, protecting customers as well as the company’s reputation.

The cloud communications vendor revealed that it had taken significant measures to strengthen its service governance. 

This strategy will allow the company to expand its range of security and compliance frameworks, establishing itself as a trustworthy provider for customer enterprises. 

The implementation, better known as ISO/IEC 27018, is a well-established privacy standard used by enterprises worldwide to protect customer data in public cloud environments. 

And with security concerns now at an all-time high, vendors will need to consider how best to protect their customers’ data. 

Darren Remblence, Chief Information Security Officer at 8×8, highlighted how customer demand for security around data management is a bare minimum requirement. 

“Customers should never have to trade speed or innovation for security,” he explained.

“ISO/IEC 27018 gives organizations even stronger guarantees that their data is handled responsibly and transparently.  

“It means they can move faster, meet compliance requirements with confidence, and trust that privacy is built into every part of their communications experience.”

This privacy standard is a code of practice that protects personal data from public cloud providers and shields any private or personally identifiable information (PII) from falling into the hands of third parties. 

It contains core regulations for enterprises that choose to adopt this standard, such as data processing with customer consent, supporting customer data handling, transparency with data protection approaches, and implement strong security measures, including restrictions and encryption methods. 

This standard also includes controls for handling data access, use, transparency, and dealing with incident response. 

This assures customers that 8×8 is meeting the higher standards required for durable data handling. 

What This Means For 8×8 Customers

This implementation into 8×8’s security management system enhances privacy and security for 8×8 Platform for CX, a unified CX communications platform that includes multiple capabilities for customer-facing teams and customer interaction management. 

Customer enterprises can enhance their vendor onboarding routines with faster security evaluation, reduced data exposure risk, and transparency with data handling. 

It also enables 8×8 customers to feel secure in where they place their data, with constant review and improvement from the vendor’s security and compliance team to ensure these standards are kept, including privacy practices, data handling, and cloud architecture. 

And with the customer playing a significant role in its activity, data processing can only happen under customer instruction and is kept informed consistently about its storage whereabouts and who can access it. 

This highlights 8×8’s commitment to its customers’ privacy and security, assuring that data handling is less likely to be compromised or misused. 

Growing 8×8’s Security Portfolio

The privacy standard also allows 8×8 the chance to build up its security and compliance portfolio to meet the growing demands from customer expectations. 

This portfolio has also included similar frameworks, including ISO/IEC 27001, ISO/IEC 27017, SOC 2, and HIPAA mapping, which involve building and assuring security controls and management within a system, as well as several other regulatory standards to assure 8×8’s commitment to security requirements. 

This decision also comes during a time when customer expectations have risen significantly in the last year, after a wave of cyberattacks that profoundly impacted the customer experience sector, including CX giants such as Salesforce, Zendesk, and Google. 

This places risk on data handling processes such as migration and storage methods, forcing vendors like 8×8 to stay ahead of cyberattack activities. 

As governments and enterprises deepen their reliance on cloud and AI technologies, control over where data is stored and how it is processed has become central to maintaining operational resilience and regulatory compliance, and most importantly, customer trust.

More than 80 percent of business leaders cite data sovereignty as a strategic business priority, according to research by German analyst firm BARC.

“We have to get a lot better at understanding that data is money, and we need to put the security that we’ve had in place around money for 1,000 years around data,” online privacy expert Ron Zayas, CEO of Ironwall by Incogni, told CX Today in an interview.

Companies are feeding their data to AI engines to train their models, but regulations like the EU Data Act, which creates rules for data sharing and access—not to mention growing cybersecurity threats—require them to tread carefully. As Zayas put it:

“We need to understand that the same way you wouldn’t let your employees interact with networks without a firewall, you can’t let companies interact with AI without having some type of firewall in between and understanding what data you can share.”

Recent moves by European and global technology leaders indicate that they are responding to accelerating demand for a sovereignty-driven approach to innovation.

The Rise of Europe-Built Cloud and CX Solutions

Odigo, a European CCaaS and CXaaS provider, recently acquired Akio, a French software vendor specialising in AI-powered CCaaS solutions for SMEs and mid-market firms. The merger brings together Odigo’s enterprise-scale CX offering with Akio’s capabilities in AI, voice of the customer analytics, and reputation management.

But beyond expanding product portfolios, the acquisition represents a strategic move to consolidate European technological capabilities and reduce dependence on non-European cloud providers. (Aside from data sovereignty that push is becoming more significant given recent cloud service outages.)

As Odigo stated in announcing the deal:

“[T]he merger of two complementary French vendors with a strong presence across Europe reinforces Odigo’s ambition to create a competitive European alternative to the American firms in the sector. This approach comes at a time when European companies are placing greater focus on data sovereignty and control over their technological environments.

Patrick Giudicelli, Founder and President of Akio, added: “Joining Odigo means joining a French company that shares our values of customer proximity and sovereignty.”

The newly combined company offers a customer engagement ecosystem designed and hosted within Europe, where data control and regulatory compliance are built into the architecture.

Global Platforms Are Localizing Data and AI Operations

The big tech players are also evolving their approaches to sovereignty. Last week, enterprise AI platform Workday announced the rollout of its Workday EU Sovereign Cloud in 2026, keeping its European customers’ data local and secure.

All operations, including AI processing, data center access, support, and maintenance, ensure customer data is managed by EU-based personnel and never leaves the region.

“Workday understands how quickly evolving data sovereignty requirements can make it difficult for organizations to keep pace,” Gerrit Kazmaier, President, Product and Technology at Workday, said in the announcement. “Workday EU Sovereign Cloud gives our customers the freedom to innovate and grow confidently—helping them harness the power of AI while knowing their data remains protected and compliant.”

EU Sovereign Cloud is built on AWS infrastructure and spans multiple, geographically separated data centers to provide redundancy for key systems. Hardware protections prevent unauthorized access, and end-to-end encryption safeguards data whether it is in use, in transit, or in storage. An EU advisory board provides oversight to strengthen transparency and adherence to European sovereignty and security standards, Workday said.

The vendor plans to extend the offering to other regions down the line, but there’s no surprise that it’s starting with Europe first, given the region’s strict data rules.

Tech giant Microsoft has added a new set of capabilities to its Sovereign Public Cloud and Sovereign Private Cloud offerings that build on its digital sovereignty controls to deliver AI and cloud services strengthened by its ecosystem of specialized in-country partners.

The update includes end-to-end AI data processing within the European Union’s Data Boundary, the general availability of Microsoft 365 Local, and localized versions of its Copilot AI assistant in four countries by the end of the year, with 11 more to follow in 2026. That ensures Copilot interactions are typically processed in data centers located within a nation’s borders, to give customers greater control over where their data goes.

Microsoft has also extended its Sovereign Landing Zones for Azure and introduced new infrastructure capabilities, such as support for external SAN storage and the latest NVIDIA GPUs, to help enhance the performance of local deployments. The company is expanding its ecosystem of regional experts through a Digital Sovereignty specialization.

Microsoft acknowledged that organizations in Europe and other jurisdictions face a complex slate of regulatory mandates, as well as heightened expectations for resilience. As Douglas Phillips, President and Chief Technology Officer, Microsoft Specialized Clouds, stated in the update:

“Sovereignty has become a core requirement for governments, public institutions, and enterprises seeking to harness the full power of the cloud while retaining control over their data and operations.”

The conversation around data sovereignty has also been amplified by Zoho, which raised the issue in releasing its latest Zoho One upgrade.

The vendor highlighted the value of controlling the full technology stack and emphasized that operating its own infrastructure through to applications allows it to offer deployment models that give customers the control they need to meet regulations and provide transparency to their end users.

“We are doing these on-premise deployments in some countries where your data center has to be set up in that country, because we own… the entire stack … we are able to do it particularly when dealing with governments,” Raju Vegesna, Chief Evangelist at Zoho, said during a media briefing.

This approach allows organizations to maintain national or regional control over critical communication systems, an increasingly common requirement for enterprises that need to guarantee uninterrupted access to essential services.

These initiatives reflect a broader market realignment and a recognition that sovereignty does not need to be a constraint on innovation but can be a selling point for vendors. European enterprises increasingly expect cloud and AI providers to deliver verifiable assurances of data control and jurisdictional compliance.

As regulatory demands tighten and put more pressure on enterprises, from the EU Data Act to AI rules and sector-specific cybersecurity requirements, cloud providers that can offer data sovereignty by design are likely to gain a competitive edge.

At Microsoft Ignite 2025, the company announced that its innovations for AI transformation were being introduced to Microsoft’s Frontier – its preview program for customers to gain early access to newer products. 

This agent is just one of several products Microsoft has announced to address security and compliance issues in AI agents. 

Sales Development Agent 

The Sales Development Agent is designed to advise sales teams in increasing their selling capacity. 

As a fully automated agent, this tool can be used to research, authorize, and handle outreach even after business hours, supporting steady revenue growth. 

This tool can work independently of a human agent, utilizing personalization for seller outreach with automated follow-ups to maintain client-seller relationships that extend beyond a company’s working time zone, as well as hand off leads to human sellers when needed. 

The agent operates through Microsoft’s security and compliance rules, ensuring that the tool can be utilized safely and efficiently in Microsoft 365 without security gaps. 

Microsoft has launched further security and compliance-focused tools to address frequent concerns around AI agents and how they operate around sensitive data. 

These tools are designed to be manageable and to monitor any suspicious activity, risky behavior, or possible threat to data exposure or accidental leaks, helping enterprises to govern their agents reliably. 

Other Security and Compliance Tools 

Entra ID 

Microsoft has announced that Entra ID has expanded its secure identity and access to adapt to the AI era. 

The tool allows users to manage accounts and resources securely, including multi-factor authentication for extra security checks, activity monitoring, and secure cloud workloads. 

It can also help guide at-risk users away from data threats, detect unauthorized AI usage, and prevent overprivileged agents from accessing controls. 

Defender 

One core component of the tool is to govern and protect AI agents across Microsoft’s ecosystem. 

As a unified platform for governance and threat protection, Microsoft Defender can offer protection across all environments where AI agents are active, deploying AI-powered security bots to monitor newer zones to forecast potential criminal activity. 

This includes safeguarding against any potential threats and vulnerabilities to an agent, as well as resolving and investigating incidents where necessary. 

Microsoft Purview

Alongside Entra and Defender, Microsoft Purview is included in Microsoft Agent 365 to ensure compliance across Microsoft. 

It is an AI-enhanced control plane component, in charge of handling recently deployed AI agents to prevent agent-specific risks, rather than being focused on human data. 

The tool also allows customer enterprises to view an agent’s status, their typical tasks and interactions, as well as their current risk level to prevent data loss.  

Foundry Agent Service

This tool includes built-in features to support security, oversight, and policy alignment, such as agent controls that limit the amount of data an AI agent can access. 

Foundry also provides security and compliance teams with real-time tracing and full insight visibility to investigate and review activity. 

It also works with other Agent 365 tools to handle threat detection and prevent data loss, ensuring that all agents are screened properly. 

Edge for Business Security Features 

The browser environment allows companies to hide information with a watermark overlay and set boundaries on web apps to stop data from being copied. 

These features can be used by organizations to secure sensitive information and prevent data leakage by aligning company policies to the tool. 

This can be monitored from within the Microsoft 365 admin center across various devices. 

Microsoft Ignite 2025

Microsoft Ignite will run from Tuesday 18th November to Friday 21st November in San Francisco. 

The company has emphasized its commitment to agentic AI and is set to showcase this message throughout the conference, as well as further touching on issues such as Security and Governance, and Identity and Access. 

You can find out more about the biggest CX announcements from Ignite 2025 here.

That explains why 58 percent of organizations that suffered ransomware attacks in the past year paid the ransom to get their data back, according to Sophos’ State of Ransomware in Retail report. That was the second highest payment rate in five years. The median ransom demand doubled to $2 million from 2024, while the average payment increased by 5 percent to $1 million.

Retailers especially have had a tough year, as several large brands have suffered high-profile cybersecurity attacks. The threats are growing as attackers are constantly looking to exploit vulnerabilities. As demands for ransom payments reach new highs, enterprises in all sectors need to put in place comprehensive security strategies. Sophos’ research showed 46 percent of attacks began with an unknown security gap.

The nature of ransomware threats is changing, as malicious actors hone in on phishing attacks as a way to gain entry into enterprise systems rather than attacking servers.

“We’re very focused on server security and network security. But in reality, what’s happening is that… over the last two years, 70 percent of ransomware attacks originated with an individual, rather than the server,” online privacy expert Ron Zayas, Founder CEO of Ironwall by Incogni, told CX Today in an interview. “That’s coming from using data to create better phishing attacks that are so good that you’re clicking on them”

These attacks have a direct impact on a company’s reputation and sales. Major casinos and large retailers have seen their performance plunge in the aftermath of breaches, Zayas noted.

“This isn’t theoretical. You’re losing a lot of money when customers perceive that A, you’re asking for too much information. And B, when something happens to you because you’re careless, they’re going to go somewhere else because they understand the threat to them.”

The challenge is escalating as hackers are using AI to create and automate more convincing phishing attacks, Chester Wisniewski, Director, Global Field CISO at security firm Sophos, told CX Today.

“The two most concerning aspects of AI are the higher quality of phishing attacks and the speed with which attacks can be conducted. AI doesn’t necessarily create new threats as much as it allows the existing techniques to be automated and executed more quickly,” Wisniewski said.

“One of the most important factors in defending networks isn’t just prevention, but also how quickly you can detect and breach and respond, ideally, before any data is stolen or encrypted.”

“If AI makes each malicious step easier, defenders will need to monitor 24/7 for breaches and be prepared to react in minutes, not hours, to prevent harm to unprotected data,” Wisniewski said.

Prevention Starts with Preparation

The key to avoiding ransomware attacks is preparedness. “Properly protecting your information and backups insulates you from all types of data theft and ransom attacks,” Wisniewski said.

But this is where many companies are falling down. According to Sophos, 62 percent of retailers that experienced attacks restored their data using backups. That was the lowest rate in four years, indicating that some companies are not generating regular backups that they can restore data from if the worst happens.

“The figures for retail in this year’s survey are very concerning,” Wisniewski said. “The lack of backups makes organisations even more reliant on paying criminals and hoping for the best to regain access to business-critical information.”

Identifying where security weaknesses are and performing reliable backups indicates an organization is taking a proactive approach to data security. “As we all know, an ounce of prevention is worth a pound of cure and this lack of preparedness results in higher incident costs and more loss of sensitive information harming an organizations’ reputation,” Wisniewski said.

As ransomware attacks evolve to target individuals, enterprises need to understand how employee data can be leveraged to launch highly targeted attacks.

“That’s where it’s changed, and companies don’t fully understand even that the vector has changed, or how to protect themselves,” Zayas said.

“It’s the data on your employees that’s killing you, so the way to protect yourself is to remove the amount of data that is available on your employees.”

Enterprises are starting to realize that dark web monitoring tools can act as an early warning system against ransomware and data breaches. When attackers compromise a device, such as an employee’s phone, they often advertise that access on the dark web for anyone willing to pay.

In some cases, leaked credentials or access to infected devices can surface online weeks before a ransomware attack, and monitoring tools can send out alerts that give teams time to prepare.

“It’s a great way for you to jump in front of that, because once it’s in circulation, you’re toast; it’s too late,” Zayas said.

Organizations also need to reconsider the level of detail in the data they hold on customers.

For instance, recent security breaches through the Salesforce platform have succeeded because companies keep extensive customer records in the system, Zayas noted.

“One of the best practices for any company is to decide how much information you really need. Just because you can get more information and enrich it doesn’t mean it makes sense.”

Any interaction with a third party opens up a potential vulnerability. That’s why organizations need to think beyond protecting their servers.

Managing Vendor Risk to Prevent Data Breaches

“Everybody wants to jump on the AI bandwagon, and AI isn’t something that a standard company can do on their own. You have to work with a third party… because of the complexities,” Zayas said. “That becomes a huge attack vector for people going after ransomware.”

Several high-profile security breaches this year, such as Stellantis, Jaguar Land Rover, Harrods and Discord, have involved attacks on their third-party customer data platforms, not the company’s own servers.

Zayas warned:

“If you are a private company and you are sharing information, if you are putting your information to a third party, it’s like the old saying, whoever you sleep with, you’re sleeping with everybody that they ever slept with.”

“When you partner with somebody and you’re transferring data, you have to be much more aware of how you’re identifying that data, because now you’re vulnerable to whatever attack happens to them.”

As enterprises adopt AI tools to streamline data management and enhance decision-making, they often overlook the critical risk created by the fact that AI systems rely on large volumes of data. They are opening up their data and feeding extensive amounts of sensitive information into AI platforms. While these systems are managed by major providers, no organization is immune to breaches, potentially exposing customer data, Zayas said.

“Let’s go back in time a little bit to when there was a lot of cash… People didn’t come to rob your pizza place. They robbed the bank, because that’s where everybody was putting their money.”

Users need to understand that “data is the currency” that is now circulated, and this makes large AI providers and marketers more attractive to attackers than targeting a number of smaller companies, Zayas said. “You’re going to see the breaches being more and more related to the amount of information that’s coming out with AI, the amount of information that’s being enriched, and companies are going to suffer from this.”

Although enterprise teams want to collect as much information as possible to get richer AI outputs, “you need to be a lot smarter about what information you share to be able to get what you need,” Zayas said.

Removing personal information so that individuals are not identifiable will help to protect customers.

“The smart play is learn how to sanitize your data. You don’t have to share 100 pieces of information on one of your customers with an outside company. It’s stupid. Why are you sharing all that customer information when it becomes available?”

“It’ll still give you the same result you have without the customer information being there.” Zayas added.

When signing contracts with third-party providers, buyers should look for vendors based on their data sensitivity and make sure that they include clear privacy clauses and audit rights.

“Third-party risk management is the frontline defence for customer data,” Aben Pagar, Director at legal services firm Konexo, told CX Today. “Due diligence cannot stop at onboarding—continuous monitoring and assurance are vital. Embedding these controls creates a culture of accountability that protects data and strengthens trust.”

In the UK public sector, a proposed ban on organizations making ransom payments will require them to ensure their systems are resilient.

“The ban on ransom payments changes the calculus for procurement,” Pagar said. “Vetting suppliers for robust security and privacy practices is now non-negotiable.”

Keeping Customers Informed When Ransomware Strikes

When enterprises do fall victim to ransomware attacks, communicating with customers as much as possible is essential to provide reassurance that leaders are actively working to recover and safeguard their data.

“Customer communications are key during incidents to inspire confidence that you have capable experts handling the situation. Silence is very dangerous, as people’s imaginations are far worse than what your incident actually looks like,” Wisniewski said.

Although there are certain details that companies may not be able to provide because of legal constraints and law enforcement requests, “being open and sharing what you can goes a long way toward demonstrating your commitment to your customers and their privacy and security,” Wisniewski said.

Ransomware Recovery is a Team Sport

Given the proliferation of attacks, companies need to be prepared to bounce back quickly if a ransomware hit does happen. Testing backups regularly and knowing exactly how to restore systems if things go down are key. Staying on top of vulnerabilities, tightening access controls, and keeping a close eye on who has high-level permissions can make all the difference.

“Regular staff training reduces human error, and a robust incident response plan ensures clarity when seconds count,” Richard Chudzynski, Partner at Konexo, told CX Today.

Response plans must involve all teams. Ransomware and other cyberattacks are no longer just IT problems. Relying solely on IT managers to respond puts enterprises at greater risk because attacks now touch every aspect of the business.

“Resilience is a team sport,” Chudzynski said.

“HR safeguards employee data, procurement manages supplier risk, and business units handle customer information, while IT and cyber teams enforce technical controls. Legal and privacy teams set the regulatory framework, and internal audit validates compliance.”

When each team owns its role, organizations can communicate transparently during a crisis, helping to minimize disruption to the customer experience and reinforce trust, Chudzynski added.

Amazon Sues Perplexity for Allegedly Misusing Its AI Shopping Tool

Amazon has threatened Perplexity with legal action after its shopping tool was accused of computer fraud.

On Tuesday, the startup’s Comet AI was accused of violating Amazon’s ban on robot and data gathering.

Amazon has previously warned Perplexity about the use of the tool on its shopping site.

In the claim, Amazon accused Perplexity of misconduct against its company’s terms of service, claiming that its agentic browser, Comet AI, was being used to access customer accounts and make automated purchases on behalf of a customer, without Amazon’s knowledge.

The accusation also claims that perplexity has damaged Amazon’s customer experience by pretending to be a human consumer and accessing restricted sections of its website, threatening the trust and privacy of customers.

In a statement on Tuesday, a spokesperson for Amazon addressed the claims made against Perplexity.

They said:

“We’ve repeatedly requested that Perplexity remove Amazon from the Comet experience, particularly in light of the significantly degraded shopping and customer service experience it provides.”

Read on to find out more.

Zoom Eyes the Small Business CX Market with Bonsai Buy

Zoom has signed an agreement for the acquisition of Bonsai, an all-in-one client engagement and business management platform designed for solopreneurs and small businesses.

The deal underscores Zoom’s commitment to providing customer service features to businesses of all shapes and sizes, from enterprises to small-scale organizations.

In a nutshell, Bonsai’s solutions are built to support service professionals like designers, consultants, and architects by equipping them with an easy-to-use, unified workspace.

In doing so, it provides an accessible and affordable way for small businesses and soloprenuers to deliver a superior level of customer experience and improve customer loyalty.

In a blog discussing the acquisition, Vi Chau, General Manager of Online Business at Zoom, wrote that Bonsai “stands out in a market underserved by complex, enterprise-focused tools.

“At Zoom, we see an opportunity to simplify this effort by empowering solopreneurs to focus on growth, not administrative work.”

In practice, this means integrating Bonsai’s tools with Zoom Workplace, including products such as Meetings, Webinars, Team Chat, Zoom AI Companion, and Docs (Read more…).

Gartner Magic Quadrant for CRM Customer Engagement Center (CEC) 2025: The Rundown

Like almost every facet of the customer experience and service tech stack in recent times, the CRM Customer Engagement Center (CEC) landscape is in the midst of an AI-powered rethink.

Gartner’s Magic Quadrant for CRM Customer Engagement Center (CEC) 2025 underscores how swiftly the market has shifted from digital engagement to intelligent orchestration, with AI agents, automation frameworks, and composable platforms defining the new service stack.

While last year’s report reflected stability, 2025 marks a decisive pivot.

A fresh evaluation model, new scoring criteria, and a heavier focus on agentic AI have redrawn the map.

However, despite the changes, Salesforce was still comfortably the top of the pack, with Microsoft, ServiceNow, and Zendesk some of the major names trying to chase it down.

Read on to find out which other vendors made the latest report and what most impressed Gartner.

Phishing Campaign Targets Cloudflare Pages and Zendesk to Mimic Support Portals

A new phishing campaign is targeting customer support channels by abusing Cloudflare Pages and Zendesk, showing that even well-protected platforms can be manipulated.

Arda Büyükkaya, Cyber Threat Intelligence Analyst at EclecticIQ, has warned that threat actors have registered more than 600 *.pages[.]dev domains, using typosquatting to mimic legitimate customer support portals for popular brands.

Typosquatting is a technique in which attackers deliberately register domain names that are slight misspellings or variations of legitimate company web addresses, to trick users into thinking they are visiting the correct site. For example, a domain like zendeskcupport.pages[.]dev could be used to impersonate Zendesk’s official support portal while relying on users to overlook the subtle typo.

The phishing pages are “very likely AI generated and include an embedded live chat interface, staffed by an human operator who asks victims [their] phone number and email address under the pretext of providing technical assistance,” Büyükkaya explained in the post on X (formerly Twitter).

“The attacker then instructs victims to install a legitimate remote monitoring tool (Rescue), which grants them full remote access to the device.”

The goal appears to be stealing sensitive information and taking over accounts for financial gain (Read more…).

Arda Büyükkaya, Cyber Threat Intelligence Analyst at EclecticIQ, has warned that threat actors have registered more than 600 *.pages[.]dev domains, using typosquatting to mimic legitimate customer support portals for popular brands.

Typosquatting is a technique in which attackers deliberately register domain names that are slight misspellings or variations of legitimate company web addresses, to trick users into thinking they are visiting the correct site. For example, a domain like zendeskcupport.pages[.]dev could be used to impersonate Zendesk’s official support portal while relying on users to overlook the subtle typo.

The phishing pages are “very likely AI generated and include an embedded live chat interface, staffed by an human operator who asks victims [their] phone number and email address under the pretext of providing technical assistance,” Büyükkaya explained in the post on X (formerly Twitter).

“The attacker then instructs victims to install a legitimate remote monitoring tool (Rescue), which grants them full remote access to the device.”

The goal appears to be stealing sensitive information and taking over accounts for financial gain.

Büyükkaya tagged Cloudflare to resolve the vulnerability.

Zendesk, which manages billions of customer interactions worldwide, has long worked with Cloudflare to protect its infrastructure.

Cloudflare has helped Zendesk handle large-scale security events in the past, including the global HTTP/2 Rapid Reset zero-day vulnerability, which affected AWS and Google Cloud servers. During that incident, Cloudflare reportedly blocked more than 201 million malicious requests per second, keeping Zendesk services unaffected.

But the current phishing campaign highlights a different challenge. While Cloudflare protects infrastructure and filters out automated threats, it cannot prevent attackers from creating convincing fake domains that exploit human trust.

The Human Element in Phishing

Attackers are leaning on the human side of customer experience. Phishing attacks succeed by exploiting human psychology, manipulating users by leveraging trust, familiarity and a sense of urgency to trick them into clicking links, entering credentials, or installing software. The Australian Signals Directorate government intelligence agency states:

“Malicious actors often go to great lengths to make their communication seem legitimate and trustworthy, increasing the chances that targeted personnel will follow their instructions.”

AI-generated content combined with human-operated chat makes these phishing attempts harder to spot and more effective.

The exploit is not the first time a weakness in Zendesk’s SaaS infrastructure has been identified. Back in January, CloudSek found that phishing campaigns and “pig butchering” scams were increasingly using the company’s offer of a free trial for subdomains to deceive users by imitating legitimate brands.

CloudSek alerted several clients to suspicious subdomains that used a combination of keywords related to their brand name and a string of numbers to appear legitimate.

Phishing attacks targeting Cloudflare’s pages.dev and workers.dev platforms have also increased, a report by Fortra indicates.

Cloudflare offers fast, reliable, globally distributed infrastructure that attracts developers and attackers alike. Pages.dev hosts web applications, while workers.dev allows code to run at the edge of Cloudflare’s CDN.

Both platforms benefit from Cloudflare’s trusted reputation, automatic SSL/TLS encryption, and free, easy-to-use hosting, which make phishing sites appear legitimate and professional. Attackers can also use custom domains, URL masking, and human verification pages to further create the appearance of credibility, making it more difficult for users to detect fraudulent activity.

Fortra emphasized that the surge in abuse reflects cybercriminals’ creativity rather than a flaw in Cloudflare’s technology.

Even when platforms are well-defended, phishing campaigns can exploit the channels meant to build trust with customers.

To guard against risk, users are advised to verify URLs carefully, enable multi-factor authentication and report suspicious activity to Cloudflare. Developers using Pages or Workers should monitor for unusual activity and ensure HTTPS connections are enforced.

This underscores the importance of ongoing user education. Employees and customers need to recognize the warning signs and understand safe practices for handling requests for sensitive information.

As the telecoms ecosystem shifts to IP and cloud-based systems, fraudsters are exploiting vulnerabilities that can hurt companies’ reputations as well as their finances.

The UK’s biggest mobile networks have responded by signing a new Telecommunications Fraud Charter with the government, ahead of the upcoming UK Government Fraud Strategy, to introduce various measures aimed at reducing telecoms fraud. The signatories include BT EE, Virgin Media, O2, VodafoneThree, Tesco Mobile, Talk Talk, Sky, and trade association Comms Council UK (CCUK).

The networks have committed to upgrading their systems within the next year to stop overseas call centers spoofing UK phone numbers, making it clear when calls impersonating legitimate organizations originate from other countries.

Around 96 percent of UK mobile users decide whether to pick up a call based on the number shown onscreen, and three-quarters are unlikely to answer calls from an unidentified international number.

The mobile networks will develop call tracing technology to track down the origin of suspicious or fraudulent calls across interconnected networks and give police the information they need to find scammers operating in the country and dismantle their operations.

They will also design scalable, collaborative data-sharing models between telecoms service providers as well as banking and technology firms to make it harder for scams to go on undetected.

The agreement includes a B2B voice and telephony sub-charter focused on assisting business customers. CCUK, which represents the UK’s IP communications and Voice over Internet Protocol (VoIP) industry, will develop business victim support principles and best practice guidance to help members handle how to identify and respond to fraud.

Telecoms Fraud Increases Cost of Business Communications

Telephony fraud takes many forms, including spoofed numbers, call hijacking, PBX hacking, and toll fraud. And those threats are only increasing with the proliferation of AI tools. As fraudsters become more sophisticated, every interaction now carries a layer of doubt. Criminals use legitimate-looking numbers or brands to trick customers, or infiltrate business phone systems to route high-value calls overseas.

“The scammers are getting much more sophisticated. So although there’s great general awareness, I think it’s so easy to still get caught out,” Tracey Wright, Managing Director at Magrathea Telecoms and CCUK chair, told CX Today.

The immediate financial losses can be steep. A single incident of toll fraud can leave rack up thousands in unauthorized charges. But the broader damage—disrupted operations, lost productivity and compromised customer trust—is longer lasting.

Telecoms companies themselves take a hit because of the perception that they have failed to protect their customers or secure their networks.

“[T]he impact on telecoms businesses… is quite serious and quite considerable. Not only in the financial sense of losing money on bad payments, but the reputational risk is considerable,” Wright explained. “It doesn’t take long at all for consumers to pick up on what they perceive as a bad actor in the market.”

Companies are engaged in a constant battle against sophisticated and fast-moving schemes. While some forms of fraud are relatively easy to identify, others are far more subtle, using legitimate communications channels to trick unsuspecting customers.

“[T]he mass calling episodes, selling things that don’t exist… are quite easy to detect. We’re still seeing those, unfortunately; they slip through the net quite frequently,” Wright said. “It is constant whack-a-mole. These people move around the industry, blast these calls out, get caught, shut down, and move on.”

The more insidious threat comes from fraud that crosses multiple communication platforms.

“[T]he more challenging one to properly understand is where the telecoms network is used as part of social engineering. So you’ve already had an email or WhatsApp, or someone’s been sent a phone number in a text message… It’s much harder to detect because it might just be one or two phone calls and not look like anything suspicious.”

While the industry is improving its ability to identify and block fraudulent traffic, many cases still slip through.

“As a service provider, we collect a lot of information from customers on those things. And unfortunately, it is almost a daily occurrence that we get reports,” Wright said.

Many companies underestimate how fraud can ripple through the customer experience. When customers start doubting the authenticity of incoming calls, legitimate outreach can suffer. That erosion of trust can quickly translate into fewer answered calls, slower issue resolution and increased customer frustration.

Still, striking the right balance between robust security and a frictionless customer experience isn’t easy. Too much verification can frustrate users, but too little invites risk. The goal for most companies is to integrate protective measures without customers even noticing.

Breaking Down Barriers to Cross-Industry Data Sharing

The biggest challenge for telecoms service providers in thwarting fraud is sharing intelligence quickly and securely. There are significant barriers to creating an effective data-sharing framework across providers and industries.

“It has been the focus of our attention for most of this year,” Wright said. The trade association held a summit earlier this year that brought stakeholders together to address the problem.

“Not only is there the technical challenge of how to share data in a safe, secure way… The bigger issue is around creating a system that all types of service provider—telecoms company, banking, everyone—can use, and the law that goes behind that to allow us to do so.”

Without the proper mechanisms, vital information can remain siloed within individual networks, allowing fraudulent activity to spill across industries unchecked.

“We’re pushing on both sides of that to have the cover of the legal and regulatory side to allow us to proactively share information. For example, if in the telecoms industry we have access to a potential scam, we’d like to be able to share that with the banking sector to say ‘you might find all these people are victims’. And at the moment, we neither have the route to do it or the legal position in which to do it.”

“So those are our big asks. And one of our commitments under the Charter is to keep working on those. We’ve had a commitment in return from the Home Office and others that are going to work with us on that.”

That ongoing dialogue between industry, regulators, and government will be the key to unlocking progress. For now, CCUK and its members are developing their own models to test what secure, compliant data sharing could look like in practice.

“We don’t have the specifics at the moment on exactly what it looks like. We’re working on our own proof of concept as a membership that, if it works, we will roll out to the wider industry.”

“It is the hardest part, but we are determined because it really does unlock so much of the rest of the things we want to do if we can just find the magic key. And there are lots of steps going forward. We can learn a lot from the finance sector; they’ve already achieved quite a lot in that space. So we’re hoping to work quite closely with them and take all the best bits of the schemes that are already out there.”

This is where the traceback technology that the phone networks are developing—to verify that callers are who they appear to be—is essential.

“That ties in with the data sharing, because at the moment, there is no method for doing this—unless you are providing a call, it’s your vertical market and you own the customer and the whole network—we’ve got otherwise no way of knowing that a caller is who they say they are,” Wright said. “If we can figure that out as an industry, then we’ll be halfway there.”

From AI-driven analytics to automated monitoring systems, new tools are helping providers detect unusual activity faster and respond before customers are affected. But for CCUK, the focus is on solutions that can help providers of all sizes strengthen their defences without adding unnecessary complexity.

“We’re certainly committed to promoting any technology; it doesn’t necessarily have to be AI,” Wright said. “We are… keeping an open mind that it’s not necessarily the kind of silver bullet to fix all this… We’re not going to put all our eggs in one basket to try and overcome this problem. We need to be looking at different solutions.”

For many of its members—who are often smaller and more agile service providers—the emphasis is on accessibility. “Whatever we do has to be simple and accessible to the smaller provider. So one of the proof of concepts we’re looking at is a much more simple API-driven data sharing tool, which any one of our members could just use at very low cost,” Wright said.

Educating Businesses to Strengthen Defenses

Technology alone won’t solve the problem. Businesses need to raise their awareness of how telephony fraud works and how to protect themselves. Clear internal policies, staff training and customer communication all play a role.

Customers, too, need to understand what legitimate contact from a business looks like. When companies proactively explain how they communicate, detailing what numbers they use and what information they’ll never ask for, they help close the information gap that fraudsters rely on.

Under the Charter, the phone networks and CCUK will work together to help improve public awareness, and enhance the protection and support that victims of fraud receive. The networks aim to reduce the time it takes for victims to receive support to two weeks.

Telecoms fraud tactics evolve constantly, so timely information is crucial. By ensuring members have access to the latest intelligence and resources, CCUK UK aims to help providers recognise emerging threats and communicate those risks clearly to their customers.

“There are existing schemes out there that we will support and promote… on our website to our members,” Wright said. “But we’re also developing some awareness specifically for telecoms companies to give their staff the skills to talk to their customers. That’s going to be evolving over the next few months.”

Navigating Legal Grey Areas to Battle Telecoms Fraud

While there’s widespread agreement that better data sharing is vital to combating telecoms fraud, the legal framework that governs it remains an obstacle. On paper, UK data protection and law enforcement rules appear to offer clear guidance on when information can be exchanged, but in practice, the reality is far more complicated.

There are loopholes and ambiguities that can make compliance difficult, particularly for smaller providers without in-house legal teams. “If you’re not on the law enforcement list, for example, you can’t be shared certain data,” Wright said. “We’ve got some great guidance from the ICO on data sharing. But when you actually start digging into the laws and look at the exceptions that are in there, you keep getting tripped up.”

Companies want to do the right thing but fear falling foul of privacy laws in the process. “That’s what we’re trying to overcome. It’s trying to find someone give us the law or the cover from the law to say, if you follow these guidelines, you can’t get in trouble. And that probably needs some kind of regulatory or legal shift,” Wright said.

By creating a framework for ongoing education, CCUK aims to build awareness across the industry, so that telecoms providers can secure their own networks against fraud and empower their customers to stay safe.