With managers away, risks like poor passwords, unlocked screens and slow reporting can quietly escalate, and this article explains why it happens and how to stop it.

Why Summer Leave Demands Heightened Password Hygiene

In 2025, just over four in ten UK businesses (43 per cent) reported experiencing a cyber security breach or attack during the previous 12 months, with that figure rising to 67 per cent in medium-sized firms and 74 per cent in large ones. Phishing remained the dominant method of attack, affecting 85 per cent of organisations that identified breaches.

Seasonal reductions in staff numbers, remote working and less oversight can allow small mistakes, such as reusing passwords, to have much bigger consequences. According to the Royal Institution of Chartered Surveyors, 27 per cent of UK businesses were hit by a cyber attack in the past year, up from 16 per cent the year before. These figures highlight the growing risk, particularly during periods with less supervision.

Use Modern Password Standards and Move Beyond Forced Expiry

UK cyber guidance now discourages regular forced password changes unless there has been a suspected breach. This is because, when users are prompted to change credentials frequently, they often create weaker, predictable passwords, for example by simply adding a number or punctuation mark.

Instead, the National Cyber Security Centre (NCSC) recommends the use of longer passphrases made up of three random words, separated by full stops. These are both stronger and easier to remember than traditional passwords. The NCSC also advises organisations to adopt password managers and, where possible, passkeys. These tools can generate and store unique credentials securely, reducing the risk of password reuse or staff writing details down.

MFA

Multi-factor authentication (MFA) remains one of the most effective ways to protect business-critical systems. Yet despite its benefits, only around 40 per cent of UK businesses have implemented MFA across all user accounts. Email accounts are especially vulnerable, as they can often be used to reset access to other platforms. Ensuring these are protected with MFA is considered a baseline measure by most UK security professionals.

Lock Screens and Devices Immediately When Unattended

An unattended device with an open screen is one of the easiest targets for opportunistic attacks or accidental misuse. Whether it is a visitor in the office, a contractor passing by or a well-meaning colleague, leaving access open can result in emails being forwarded, data copied or malware being introduced via USB.

The Information Commissioner’s Office (ICO) advises that screens should lock automatically after two or three minutes of inactivity. Staff should also be trained to manually lock their devices every time they step away from their desks. This is especially important during summer when office routines may be more relaxed and the mix of people in the workplace can change.

Recent incidents show that even organisations with secure buildings can fall victim to social engineering or internal threats if unattended devices are left exposed. Automatic screen locking, combined with a strong culture of responsibility, helps reduce the risk significantly.

Ensure Quick Incident Reporting When Supervision Is Reduced

When teams are leaner, delays in reporting suspicious activity can allow small issues to spiral. For example, even a single phishing email that goes unreported could result in credential theft, malware infection or wider compromise of the organisation’s systems.

The ICO reminds organisations of their legal obligation to report serious personal data breaches within 72 hours. However, underreporting remains an issue. For example, a (2023) Cybsafe survey found that many employees still hesitate to report security issues, fearing they will be blamed or seen as incompetent. Some of them attempt to fix problems themselves, often making the situation worse.

Clear Policies

Clear policies and non-judgemental internal reporting procedures can also help. For example, businesses should reinforce the message that early reporting is vital, regardless of the perceived severity of the issue. When fewer people are available to detect problems, every employee becomes part of the security perimeter.

Vigilance Essential

Major cyber attacks on well-known UK retailers in early 2025 highlighted how attackers often exploit gaps in supervision. For example, in one widely reported case, criminals impersonated staff during a helpdesk call to reset login credentials at a large national department store chain. Using publicly available information and a convincing pretext, they persuaded internal support teams to grant access to privileged systems. The attackers then used this access to infiltrate the company’s ordering and stock systems, causing widespread disruption to online deliveries, store stock management and customer services across the UK.

The NCSC has since updated its guidance to stress the importance of identity verification, particularly during periods when usual contacts may be away. Organisations should ensure that all staff know who to contact in case of a suspected breach and that backup procedures are in place when key individuals are on leave.

Also, Proofpoint’s 2024 threat report showed a rise in phishing campaigns timed around bank holidays and summer breaks, many of which referenced internal systems or posed as absent executives. These tailored scams are more convincing and more dangerous when teams are under pressure or lacking oversight.

Promote a Culture of Accountable Vigilance Year-Round

It’s worth noting here that security does not begin and end with IT departments. In reality, everyone in the organisation has a role to play, particularly when fewer colleagues are present to notice if something goes wrong.

As Richard Horne, CEO of the NCSC, recently warned “businesses ignore advice at their peril,” thereby highlighting that even basic security measures can reduce insurance claims by over 90 per cent. However, the latest government figures show that fewer than one in ten UK organisations are currently certified under Cyber Essentials, the UK’s official baseline standard.

The ICO and NCSC both emphasise that technical tools must be matched by behaviour and awareness. That includes locking screens, using secure credentials, escalating concerns early and understanding that cyber security is not someone else’s job.

What Does This Mean For Your Business?

A key takeaway here is that there’s no seasonal exemption from cyber threats. In fact, if anything, the summer period heightens the risk, as gaps in supervision and more flexible routines make it easier for poor habits to slip through unnoticed. For UK businesses, this is not just a matter of good practice but of operational resilience. Attacks timed during holiday cover or lean staffing can have a disproportionate impact, especially when response times are slower and reporting structures unclear.

The broader lesson is that culture really matters. Password policies, screen-locking procedures and incident response plans are only effective when staff at all levels understand them and use them without hesitation. For security teams and senior leaders, this means investing in clarity and communication as much as in software or hardware.

UK regulators are already making expectations clear. With the ICO strengthening its stance on breach reporting and the NCSC repeatedly highlighting the need for accountability beyond the IT department, there is growing pressure on organisations to prove that cyber responsibility is being taken seriously throughout the business. That includes facilities managers, HR teams and anyone with access to systems or data.

What this means for UK businesses is a need to treat holiday periods not as downtime, but as a potential test of their internal defences. For insurers, regulators and supply chain partners, lapses in protocol will look less like an accident and more like a failure to plan. For customers and clients, the reputational damage from a breach can be immediate and lasting.

Avoiding that outcome does not require complex changes. It comes down to reinforcing a few non-negotiables. Strong, unique passwords. Locked screens. Prompt reporting. And a shared understanding that good security is not a favour to the IT team but a safeguard for the whole organisation.

In this article, we look at various ways staff can stay cyber-secure while away, from setting safer out-of-office replies to avoiding phishing on the move and protecting devices abroad.

Out-of-Office Messages Can Put You at Risk

Most employees see out-of-office (OoO) replies as a harmless admin task. However, the wrong message can actually open the door to social engineering and impersonation attacks. It’s not the message itself that’s risky but what it reveals, and to whom.

For example, attackers actively scan for out-of-office responses which include return dates, job roles, colleague names, or even direct phone numbers. These details can be used to craft credible phishing emails that appear to come from someone inside your organisation or a known supplier.

To reduce the risk, the UK’s National Cyber Security Centre (NCSC) advises that organisations set clear rules for OoO replies. The most important steps include:

– Using different messages for internal and external recipients.

– Avoiding specific return dates or colleague names in external replies.

– Limiting details to a simple confirmation of unavailability.

For example, instead of “I’m in Spain until 15 August—please contact Lisa in Accounts,” a better external message would be: “I’m currently unavailable and will respond to your message on my return.”

Internally, it’s fine to include a bit more information, but it should still be concise if possible. The aim is to help colleagues, not advertise an absence to outsiders.

Phishing Attacks Are Timed to Catch You Off Guard

When staff are away from their usual routines, especially while travelling, they’re more likely to fall for phishing attempts. This is no coincidence and cyber criminals actively exploit periods like school holidays and summer breaks to increase attacks.

The UK Government’s Cyber Security Breaches Survey 2025 found that phishing remains the most common form of cyber attack, accounting for 85 per cent of incidents reported by businesses and 86 per cent by charities. The same survey estimated over 8.5 million cyber crimes against UK businesses in the past 12 months, of which more than 7.8 million were phishing-related.

These attacks often take the form of fake hotel confirmations, airline refund requests, or urgent security notifications that appear to come from well-known brands. A mobile phone notification while queuing at an airport (while distracted and in an unfamiliar environment) is far more likely to be clicked than an email during a typical office day.

To mitigate this, staff should be reminded before going away that:

– No reputable company will ask for login credentials by email or SMS.

– Links and attachments in unexpected travel-related messages should never be clicked without verifying the source.

– Suspicious messages can be reported to report@phishing.gov.uk or via text to 7726.

Tip: Pre-holiday reminders and short cyber awareness refreshers can make a significant difference, especially when phishing attempts are designed to catch people off guard.

Travel Exposes Devices to Extra Risks

It’s worth noting that business travellers face a different set of risks, especially if they’re logging into company systems abroad. For example, public Wi-Fi networks, hotel business centres, and even charging stations can all pose threats if used without care.

With this in mind, the NCSC recommends several precautions that should now be considered standard practice:

– Keep all software and security updates current before leaving.

– Use strong passwords and enable multi-factor authentication.

– Turn off Bluetooth and Wi-Fi auto-connect settings to avoid rogue connections.

– Only use secure, private Wi-Fi or a trusted mobile hotspot.

– Avoid public USB charging points, which can be used to extract data or install malware.

– Use a Virtual Private Network (VPN) when connecting to work resources remotely.

VPNs encrypt your internet traffic, reducing the risk of interception. Without one, using a free Wi-Fi network at an airport or hotel could expose email, login credentials or confidential files to anyone else on the same network.

Temporary Devices

Some organisations now go a step further, issuing temporary devices for international work trips. These are pre-configured with minimal data and set up to be wiped remotely in case of theft or compromise.

What Happens If a Device Is Lost or Stolen?

According to recent government data, over 2,000 official laptops, phones and tablets were reported lost or stolen in a single year. While most were encrypted, even a brief exposure could result in leaked credentials, compromised apps, or unauthorised access to systems if multi-factor authentication is not used.

In the private sector, the same risks apply. For example, if a staff member leaves a work phone in a taxi or hotel room, the consequences can range from inconvenience to data breach, particularly if no backup exists or if the device grants access to sensitive files without additional controls.

The most effective countermeasure is a layered one:

– Encrypted storage.

– Device lockout after inactivity.

– Remote tracking and wipe capability.

– Strict separation between personal and work accounts.

Employees should also know who to notify if a device is lost, and how quickly a compromise can escalate if not handled swiftly.

Oversharing on Social Media Can Be Just as Dangerous

Even without phishing or device theft, sharing too much about travel plans can lead to risk. A well-timed LinkedIn post saying “off to Greece for two weeks” may seem harmless, but it confirms a person’s absence to anyone watching, including cyber criminals looking to exploit out-of-office gaps.

Posting photos of boarding passes, passports or hotel locations on social media can also invite fraud. In recent cases, scammers have used partial passport information combined with leaked credentials to access travel accounts or generate fraudulent documents.

The safest approach is to wait until you’re home before sharing holiday updates publicly, or to keep posts strictly limited to private audiences.

Clear Expectations and Small Changes Make a Big Difference

While cyber threats grow more sophisticated each year, the most effective defences are still relatively simple:

– Don’t overshare in auto-replies.

– Watch for phishing while on the move.

– Keep devices locked down and updated.

– Avoid unnecessary risks abroad.

UK businesses can do more to embed these habits into everyday culture, especially during peak holiday months. Even if a full training session isn’t feasible, a short checklist or pre-departure reminder can reduce exposure significantly.

What Does This Mean For Your Business?

The risks outlined here are not theoretical. They reflect common oversights that continue to be exploited by attackers year after year. For UK businesses, especially those with remote or hybrid teams, these issues matter because they affect every department. A single out-of-office reply or a misjudged click while abroad can lead to reputational damage, operational disruption or financial loss.

The increase in phishing attacks during holiday periods shows how cyber criminals adapt their tactics to match human behaviour. The fact that over 85 per cent of cyber incidents reported by UK businesses now involve phishing should act as a clear warning. Routine travel or time off is not a reason to lower defences. In many cases, it is when organisations are most vulnerable.

All this creates a strong case for better awareness, firmer controls around device use while travelling and more consistent defaults for things like out-of-office replies and remote access. These measures are not expensive. In most cases, they come down to clear expectations, simple communications and a few minutes of preparation that can prevent much bigger problems later.

For individual employees, these risks are not always obvious, particularly for those in non-technical roles. That is why basic guidance on travel-related security should be part of the normal rhythm of work. Whether someone is attending an overseas meeting or switching off for a well-earned break, the same principles apply.

This also matters for HR, compliance and communications teams. The way cover is arranged, the wording of public messages and the tone of internal guidance all play a part in how securely staff behave while away. Responsibility for this does not sit with IT alone.

In the end, protecting an organisation during staff holidays is not about large-scale policy overhauls. It is about recognising that certain periods carry higher risk and planning accordingly. When simple habits like cautious messaging, phishing awareness and secure device use are embedded into daily working culture, the chances of a successful attack drop significantly. Also, in a landscape where cyber criminals only need one opening, those habits are what keep your business protected.

A new wave of farm automation is aiming to cut chemical use in food production, led by California-based TRIC Robotics, whose UV-powered robots are helping strawberry growers tackle pests and disease without pesticides.

Tackling One of the Dirtiest Fruits on the Shelf

Strawberries may be a consumer favourite, but they’re also among the most chemically treated fruits in commercial farming. For example, according to the US-based non-profit Environmental Working Group’s 2024 “Dirty Dozen” list, strawberries once again topped the rankings for the highest levels of pesticide residue found on produce in the US. Despite growing demand for organic alternatives, conventional pest control practices in strawberry production remain heavily reliant on chemical sprays, often applied multiple times per week throughout the season.

It’s this issue that San Luis Obispo-based TRIC Robotics set out to address with a radically different approach. For example, rather than spraying crops with synthetic chemicals, the ag-tech company is using ultraviolet (UV-C) light, applied by autonomous robots operating at night, to kill pathogens and deter pests. Early results suggest the method could significantly reduce pesticide use on commercial farms while improving yield and sustainability.

Who Is Behind TRIC Robotics?

TRIC Robotics was founded in 2017 by Adam Stager, who holds a PhD in robotics. The company originally focused on developing mobile robots for law enforcement but pivoted towards agriculture in 2020 after Stager began exploring how automation could be applied to more socially impactful sectors. Through a US Department of Agriculture (USDA) commercialisation programme, he was introduced to dormant UV-light research that had not yet reached the field.

“I really wanted to do something that would have meaningful impact,” Stager told TechCrunch earlier this year. “When I discovered the potential of UV-C for farming, I saw a way to improve food production while reducing harm.”

Alongside co-founders Vishnu Somasundaram and Ryan Berard, TRIC began trialling early prototypes in strawberry fields along the US West Coast. The first robot was built in Stager’s garage and transported cross-country to farms in California, where the majority of US strawberries are grown. Since those early experiments in 2021, the company has expanded to nine robots and secured contracts with several major growers.

How the Technology Works

The system centres around large, tractor-sized autonomous robots, named Eden and Luna, which use UV-C light to control fungal and bacterial pathogens as well as insects such as spider mites. UV-C light, a short-wavelength ultraviolet radiation, damages the DNA of microorganisms, disrupting their ability to reproduce.

The robots operate exclusively at night, when UV-C is most effective and when plants are less vulnerable to stress. Each robot is equipped with adjustable booms, dosing systems, and high-resolution cameras for precision treatment. They can cover 50 to 100 acres each, moving independently through rows and adjusting to uneven terrain and plant height in real time. Vacuum systems are also fitted to remove pest residue and insects from leaves without damaging the crop.

Robots As-A-Service?

Instead of selling robots to farmers outright, TRIC offers a subscription-style “service model” in which robots are delivered, managed, and maintained by the company. Farmers pay roughly the same as they would for conventional spraying but avoid the need for pesticides, re-entry delays, or additional labour.

Environmental and Operational Benefits

The approach offers a clear environmental upside, which is reduced pesticide use. This, in turn, means less chemical runoff into soil and waterways, lower risk to pollinators and other beneficial insects, and fewer residues on produce. It also supports growers aiming to meet organic standards or export restrictions tied to pesticide levels.

From a business perspective, the robots improve consistency, reduce re-spray requirements, and allow treatments to occur more frequently. TRIC claims farms using its robots have seen pesticide use fall by up to 70 per cent, with some reporting yield improvements thanks to better pest and disease control.

The autonomous machines also generate valuable data. Built-in cameras and sensors capture real-time insights on plant health and pest pressure, helping growers monitor performance and make more informed decisions.

Ambition = Automated Crop Protection

TRIC raised $5.5 million in seed funding in mid-2025, led by Version One Ventures, with backing from Garage Capital, Lucas Venture Group, and others. The investment is being used to expand the robot fleet, enhance analytics, and explore the system’s applicability to other crops beyond strawberries.

Stager says the long-term ambition is to provide “automated crop protection” across multiple types of produce. “Agriculture needs practical, scalable solutions to reduce chemical inputs and protect yields,” he told investors during the funding round. “UV-C is one of those solutions—but only if it can be applied efficiently, safely, and at scale.”

TRIC’s approach also highlights a broader shift in ag-tech away from standalone equipment sales towards service-based, data-rich models that mirror the way many farmers already procure services like spraying or fertilisation.

Others in the Field

TRIC is not alone in applying UV-C to agriculture, but its combination of automation, scale, and commercial deployment is relatively rare. One of the best-known alternatives is Norway’s Saga Robotics, whose Thorvald platform uses UV-C light to treat strawberries and grapes in Europe and the US. However, Saga’s robots are smaller, battery-powered, and typically used in research or niche applications.

Other firms, such as FarmWise and Naïo Technologies, are also building autonomous farm machinery, but these generally focus on weeding, harvesting, or mechanical cultivation rather than light-based disease control.

In the greenhouse sector, Dutch firms like Priva and Signify have experimented with UV light for fungal control in tomatoes and cucumbers, but few solutions are currently available for open-field use at scale.

This essentially positions TRIC as one of the most commercially advanced players applying UV-C at field level. Still, the space is expected to grow quickly, with McKinsey predicting that farm robotics and automation will become a $50 billion global market by 2030.

Challenges

Despite promising results, the technology is not without challenges. One concern is the potential for overuse of UV-C, which can damage plant tissue or lead to resistance in certain pest populations if not carefully managed. TRIC’s dosing systems are designed to avoid this, but it remains a technical and biological balancing act.

Another issue is energy use. For example, although TRIC’s early robots were battery-powered, the current versions use on-board diesel generators due to limited field charging infrastructure, thereby raising questions about carbon emissions, especially for a solution marketed on sustainability grounds. TRIC has acknowledged this limitation and says future versions may explore hybrid or fully electric designs as farm infrastructure improves.

There are also operational constraints to consider. For example, the robots work best in certain field layouts and require access to well-maintained paths and consistent planting patterns which is something not all farms can offer without modification. That said, TRIC’s tractor-sized form factor was deliberately chosen to mirror existing spray rigs and reduce disruption.

Also, some industry observers have questioned whether UV-C alone is actually sufficient to replace chemical sprays across a full growing season, especially in regions with high pest pressure. While results from pilot sites have been encouraging, broader third-party trials and peer-reviewed research will be key to long-term credibility.

What Does This Mean For Your Business?

If TRIC’s model continues to scale, it may bring about a change in how pest and disease control is delivered across large-scale agriculture. By offering automation as a service and avoiding upfront equipment costs, the company has lowered the barrier to adoption for growers who might otherwise resist change. That could accelerate the move away from chemical inputs in a sector long dependent on them. The fact that it’s proving cost-comparable to traditional spraying means it may not take government intervention or subsidies to push adoption forward.

For the robotics industry, TRIC’s success adds weight to the idea that task-specific, autonomous machines, especially those built around a practical service model, can find real traction in farming. This is a notable development in a space where many ag-tech ventures remain trapped in trial stages or small-scale pilots. If other crops can be treated as effectively, and if energy issues are resolved, UV-C robotics may offer a compelling template for reducing agrochemical reliance more widely.

UK farmers, especially those under pressure from changing pesticide rules and tighter sustainability requirements, may see clear potential in this approach. For example, British growers facing EU-derived regulations on maximum residue levels and soil health could benefit from a model that allows frequent treatment without chemical application or delayed re-entry. There could also be scope for adaptation to local crops such as soft fruits, leafy greens, or high-value organics, particularly where manual spraying is still dominant or increasingly expensive due to labour shortages.

Also, for UK businesses involved in food supply chains, TRIC’s methods are likely to be promising. For example, as major retailers and buyers place more emphasis on sustainability, traceability, and reduced chemical use, upstream suppliers using robotic UV-C solutions may gain competitive advantage. The same applies to UK-based ag-tech firms exploring adjacent fields. The window is open for others to localise or licence similar models in the UK and Europe, or to partner with growers on collaborative trials.

However, any rollout here would need to take into account different field conditions, crop types, and infrastructure. Unlike the flat, uniform rows of California strawberry farms, many British farms are smaller, more varied in layout, and less mechanised. That may limit near-term deployment without further design iterations.

It’s also worth watching how regulators may respond. For example, UV-C is already used in food processing and healthcare, but applying it in open-field environments could raise fresh questions about environmental exposure, crop labelling, and treatment records. Clear data on safety, efficacy, and operational standards will be essential to building trust.

For now, TRIC’s model stands out as an example of how robotics, when applied thoughtfully and at the right point in the production chain, can genuinely support more sustainable agriculture. The bigger test will come as more farms take it on, and as others begin to compete on similar ground.

We’ve all been waiting for it … and now it’s here! This video takes a quick peek at the ‘agent’ which is now available in the UK for paid ChatGPT users … and it is far from perfect as we’ll see!

[Note – To Watch This Video without glitches/interruptions, It may be best to download it first]

Busy Gmail inbox? The ‘Snooze’ feature lets you temporarily hide an email and have it reappear at a date and time when you’re ready to act on it.

How to:

– Hover over the email in your Gmail inbox.
– Click the clock icon (Snooze) on the right.
– Choose a preset time like “Tomorrow” or “Next week”, or click Pick date & time to choose your own.
– The email will disappear from your inbox and return at the scheduled time—marked as unread and flagged for attention.

What it’s for:

Keeps your inbox clear and helps you deal with non‑urgent emails at the right moment—ideal when you’re on the move, in meetings or just prioritising.

Pro‑Tip: Snoozed emails appear in your Snoozed tab (left-hand menu), so you can check or reschedule them at any time.

The UK Government has entered into a formal partnership with OpenAI aimed at accelerating the responsible use of artificial intelligence (AI) across public services, infrastructure, and national growth zones.

What Is The Deal?

Announced on 21 July 2025, the agreement takes the form of a Memorandum of Understanding (MoU) between the Department for Science, Innovation and Technology and OpenAI, the US-based company behind ChatGPT. While not legally binding, the document outlines both sides’ intentions to deepen collaboration in areas including AI infrastructure, public sector deployment, and AI safety research.

To Transform Taxpayer-Funded Services

According to the Department, the strategic aim is to “transform taxpayer-funded services” and improve how the state uses emerging technologies. It also includes commitments to explore joint investments in regional AI growth zones, share technical insights with the UK’s AI Safety Institute, and expand OpenAI’s UK-based engineering and research operations.

Technology Secretary Peter Kyle described the move as central to “driving the change we need to see across the country – whether that’s in fixing the NHS, breaking down barriers to opportunity or driving economic growth”.

OpenAI CEO Sam Altman echoed this, saying AI is a “core technology for nation building” and that the partnership would “deliver prosperity for all” by aligning with the goals set out in the UK’s AI Opportunities Action Plan.

Why Now And Why OpenAI?

The timing reflects the government’s wider push to try to position Britain as a leader in AI development and deployment. This includes the £2 billion commitment to AI growth zones made earlier this year, alongside a new AI Compute Strategy and the creation of a national AI Safety Institute.

It also comes as the UK faces some sluggish productivity growth, mounting public sector workloads, and strained public finances. Officials argue that automating time-consuming tasks, such as consultation analysis, document classification or civil service admin, could help free up staff to focus on more complex or sensitive work.

OpenAI’s Models Already Being Used

It’s worth noting here that GPT-4o, OpenAI’s latest model, is already being used in a Whitehall tool called “Consult”, which automatically processes responses to public consultations. The tool is said to reduce weeks of manual work to a matter of minutes, while leaving substantive decision-making to human experts.

The government’s AI chatbot “Humphrey” also uses OpenAI’s API to help small businesses navigate GOV.UK services more efficiently.

According to the MoU, future deployments will prioritise transparency, data protection, and alignment with democratic values. However, critics have raised concerns that key details of the deal remain vague.

A Boost for OpenAI’s UK Ambitions

For OpenAI, the partnership will, no doubt, reinforce its growing presence in the UK, which it describes as a “top three market globally” for both API developers and paid ChatGPT subscribers.

The company opened its first international office in London in 2023 and now employs more than 100 staff there. Under the new agreement, it plans to expand these operations further to support both product development and local partnerships.

OpenAI is also expected to explore building or supporting UK-based data centres and R&D infrastructure, which is a move that would enhance what the government calls the country’s “sovereign AI capability”. This concept refers to ensuring that core AI infrastructure and innovation remain under UK control rather than becoming overly reliant on US or Chinese providers.

Sam Altman has suggested that such regional investment could help stimulate jobs and revitalise communities, especially within the designated AI growth zones.

Competitors and UK Tech Firms

The announcement is likely to intensify competition among global AI providers, particularly Google DeepMind and Anthropic, both of which have also signed cooperation agreements with the UK Government in recent months.

However, some British AI firms say the government is placing too much emphasis on partnerships with dominant US players at the expense of homegrown innovation. Tim Flagg, Chief Operating Officer at UKAI, a trade body for British AI companies, previously warned that the AI Opportunities Action Plan takes a “narrow view” of who is shaping the UK’s AI future.

For example, it could mean that UK-based AI firms working on foundation models, language processing, or ethical AI frameworks may now find themselves competing for talent, attention, and influence with the likes of OpenAI, whose models and reputation already dominate the field.

Digital rights campaigners have also questioned whether the government is adequately safeguarding public interest and data security in its eagerness to court big tech firms.

Warnings Over Public Data and Accountability

One of the main criticisms of the deal is its lack of specificity on how public data may be used. While the agreement hints at technical collaboration and information-sharing, it doesn’t clarify whether UK citizens’ data will help train OpenAI’s models, or what safeguards will be in place.

Digital rights group Foxglove called the MoU “hopelessly vague”, warning that OpenAI stands to benefit from the UK’s “treasure trove of public data”. Co-Executive Director Martha Dark went further, saying that “Peter Kyle seems bizarrely determined to put the big tech fox in charge of the henhouse when it comes to UK sovereignty”.

Others have raised broader concerns about transparency and oversight. Some academics and civil service experts suggest that while AI tools may relieve public sector staff of time-consuming administrative tasks, the real challenge lies in ensuring that deployments are done ethically, with strong governance and minimal reliance on personal or sensitive data.

The AI Infrastructure Angle

Beyond public services, the deal includes plans to explore investment in AI infrastructure, a term that typically refers to the high-performance computing facilities and energy-intensive data centres required to train and deploy large AI models.

This ties into the UK’s broader push for regional development. Under the AI Growth Zone initiative, over 200 local bids have been submitted, with billions in potential investment expected. The government has confirmed that both Scotland and Wales will host zones under the AI Compute Strategy.

The partnership with OpenAI may give these ambitions extra momentum. If the company builds or co-develops infrastructure in the UK, it could significantly improve national access to compute power, a key enabler for both public and private AI innovation.

Concerns Over Sovereignty and Big Tech Influence

Despite assurances from ministers that the UK will remain in control of its AI future, there are growing calls for greater scrutiny and legislative oversight.

The UK’s Data Protection and Digital Information Bill, which is making its way through Parliament, may play a role in regulating how personal and government data can be used in AI systems. However, many campaigners believe that dedicated AI legislation, with clear public interest protections, is still lacking.

Meanwhile, the MoU’s non-binding nature means the partnership could evolve in unpredictable ways, without necessarily being subject to parliamentary approval or regulatory review.

Peter Kyle has defended the approach, arguing that “global companies which are innovating on a scale the British state cannot match” must be engaged if the UK wants to compete in the AI era.

However, for opponents, this signals a risk of policy being shaped too closely around commercial interests, rather than the public good.

What Does This Mean For Your Business?

The UK’s agreement with OpenAI may sound like a significant moment in the evolution of public sector AI strategy, but it also raises some important questions about balance, control, and accountability. For government departments under pressure to deliver more with less, AI appears to present an opportunity to reduce routine workloads, speed up processes, and direct skilled professionals toward more impactful tasks. With OpenAI’s models already embedded in tools like “Humphrey” and “Consult”, this partnership could enable deeper integration and faster iteration across critical areas such as justice, health, education, and small business support.

For UK businesses, particularly those involved in or supplying to the public sector, the partnership could bring both practical benefits and growing pressure. For example, OpenAI’s expanded presence may improve access to advanced AI tools, infrastructure, and collaborative opportunities, helping British startups and firms apply new technologies more effectively. At the same time, there is concern that prioritising partnerships with large US-based companies could marginalise smaller UK tech providers whose innovations may be better suited to local contexts but lack the scale or visibility to compete.

The deal also adds pressure on the UK to clarify how it will protect data, enforce ethical guardrails, and ensure that public interest remains front and centre. Critics argue that the lack of legally binding terms leaves room for mission creep or overreach, especially if partnerships expand without clear oversight. With public trust in digital services already under strain, transparency and accountability will be vital to ensuring these systems are not only efficient, but also fair and secure.

Ultimately, the MoU appears to reflect the government’s belief that strategic alignment with global AI leaders is essential if the UK wants to stay competitive. Whether this approach will deliver broad-based economic and societal benefit, or reinforce existing power imbalances, will depend on how well the promises of inclusion, sovereignty, and ethical standards are translated into action. For now, the UK has made its bet, and the challenge will be ensuring that it delivers for everyone.

A new survey reveals 45 per cent of managed service providers (MSPs) are setting aside cash to pay ransomware demands, as fears over AI-fuelled cybercrime continue to mount.

MSPs Under Pressure as Ransomware Attacks Surge

The finding comes from the CyberSmart MSP Survey 2025, which examined the security posture of 900 MSPs across the UK, Europe, Australia, and New Zealand. According to the report, nearly half of those surveyed now maintain a dedicated pot of money in case they are hit by a ransomware attack, a tactic where cybercriminals encrypt a victim’s data and demand a payment for its return.

Counter To Guidance

This approach appears to run counter to guidance from insurers, governments, and law enforcement agencies, which consistently urge organisations not to pay. However, the growing scale and frequency of attacks, often powered by artificial intelligence, appear to be forcing MSPs to adopt a more pragmatic (if controversial) strategy.

“Organisations shouldn’t rely on ransomware payments; rather, they should partner with organisations that can help proactively secure them,” said Jamie Akhtar, CEO and co-founder of CyberSmart.

Be Prepared

The report’s findings highlight a deepening sense of vulnerability among MSPs, many of which provide outsourced IT and cyber-security services to small and medium-sized enterprises (SMEs). With AI-generated phishing emails, malware, and deepfakes becoming increasingly sophisticated, the pressure to be prepared for the worst has never been higher.

More Breaches, More Budgets, More Confusion

CyberSmart’s research revealed that 69 per cent of MSPs had suffered two or more cyber breaches in the last 12 months, while 47 per cent reported being hit three times or more. These incidents are not just one-off events. For example, many are the result of supply chain vulnerabilities, such as the May 2025 breach where the Dragonforce ransomware group exploited a remote monitoring and management (RMM) tool to compromise multiple MSP clients.

Faced with mounting threats, MSPs are reacting in different ways. For example, 36 per cent now rely on cyber insurance as their primary defence, while 11 per cent (worryingly) have neither cyber insurance nor a ransomware fund in place, leaving them financially and operationally exposed if attacked.

Guidance Not Clear

It seems that part of the problem is that official guidance around ransomware payments remains fragmented and unclear. While governments generally discourage paying ransoms, enforcement is inconsistent outside the public sector. “What your business is advised to do will largely depend on where you’re based and who’s advising you,” CyberSmart noted in its commentary.

This has led to a patchwork of interpretations, with some MSPs feeling they have little choice but to maintain a reserve, despite the moral and strategic risks involved.

UK Government Moves to Ban Ransomware Payments for Critical Services

In July 2025, the UK government announced proposals to ban ransomware payments for public sector bodies and operators of critical national infrastructure (CNI). The measures, introduced by the Home Office following a public consultation, would apply to organisations such as hospitals, councils, schools, and water providers, sectors where operational downtime can endanger lives.

“Ransomware is a predatory crime that puts the public at risk, wrecks livelihoods and threatens the services we depend on,” said Security Minister Dan Jarvis. “We’re determined to smash the cyber criminal business model and protect the services we all rely on.”

Private Businesses Would Need To Notify Government Before Paying

Under the proposals, private businesses would not be banned outright from paying, but would be required to notify the government before doing so. This would enable authorities to offer advice, check for potential sanctions breaches (such as paying Russian-linked gangs), and gather intelligence to disrupt criminal networks.

Cybercrime’s Business Model Under Scrutiny

The rationale behind the payment ban is to undermine the business model of ransomware gangs, which rely on victims caving in quickly to avoid reputational damage, data leaks, or prolonged disruption. However, experts have warned that banning payments, especially only for certain sectors, may not have the desired effect.

“Ransomware is largely an opportunistic crime, and most cyber criminals are not discerning,” said Jamie MacColl, a senior research fellow at the Royal United Services Institute (RUSI). “They’re unlikely to develop a rigorous understanding of UK legislation or how we designate critical infrastructure.”

Others suggest the ban could increase the stakes for victims. “If the best solution is to just turn around and say to the hackers, ‘We’re not giving in to your demands anymore,’ don’t be surprised if they double down,” said Rob Jardin, chief digital officer at NymVPN.

The British Library, one of the most high-profile public victims of ransomware in recent years, chose not to pay after an attack in October 2023 devastated its systems. “We are committed to sharing our experiences to help protect other institutions and build collective resilience,” said Chief Executive Rebecca Lawrence.

AI Attacks Are Changing the Game

Perhaps the most striking shift in this year’s CyberSmart survey is the rise of artificial intelligence as the top concern for MSPs in 2025. AI overtook ransomware itself, with 44 per cent of respondents citing it as their biggest worry, compared to 40 per cent for traditional malware and ransomware threats.

This change reflects a growing trend in how attackers operate. For example, AI tools are now being used to write convincing phishing emails, build more evasive malware, and even create deepfake audio and video to impersonate executives or support social engineering attacks.

In 2024, 67 per cent of MSPs reported falling victim to AI-enabled attacks, a figure expected to rise in 2025 as generative and agent-based AI tools become more widely available to threat actors.

However, many MSPs feel ill-equipped to counter these evolving threats, with a lack of user-friendly, AI-specific defence tools still a key issue. “MSPs are being asked to do more, with fewer tools at their disposal,” the report concludes.

Customer Expectations Are Rising, But So Is Investment

The research also showed that 84 per cent of MSPs now manage their clients’ cybersecurity infrastructure, or both their cybersecurity and broader IT estate. This shift reflects growing client expectations for MSPs to provide end-to-end protection which are the kind of expectations that often come with greater scrutiny.

According to the CyberSmart research, 77 per cent of MSPs said potential customers are now evaluating their cyber credentials more carefully, especially in the procurement stage.

To meet demand, it seems that MSPs are now investing heavily. For example, 81 per cent have increased spend on hiring security specialists, and 78 per cent have upped budgets for cyber defence tools, training, and client services. Compliance is also high on the agenda, with 60 per cent hiring regulatory specialists and 64 per cent enhancing capabilities to align with frameworks such as NIS2 in the EU and the UK’s upcoming Cyber Security and Resilience Bill.

According to NCSC Director of National Resilience Jonathon Ellison, such steps are critical: “Ransomware remains a serious and evolving threat, and organisations must not become complacent. All businesses should strengthen their defences using proven frameworks such as Cyber Essentials.”

MSPs Prepared Yet Vulnerable

Despite the high rate of breaches, MSPs remain surprisingly confident in their security posture. For example, CyberSmart found that 76 per cent rate their cyber confidence as above average or higher. That said, only 20 per cent described their confidence as complete, suggesting that many know there’s room for improvement.

Looking at this research, for businesses relying on MSPs to manage their security, the message appears to be that while many providers are stepping up their game, others are still reacting to threats in ways that may not align with long-term best practice.

Co-op CEO Shirine Khoury-Haq, who oversaw the retailer’s response to a Scattered Spider ransomware attack, captured the sentiment well, saying: “What matters most is learning, building resilience, and supporting each other to prevent future harm. This is a step in the right direction for building a safer digital future.”

What Does This Mean For Your Organisation?

For MSPs and their clients, the emergence of ransomware funds could be seen as a move from aspirational resilience to operational realism. Despite official advice against paying cybercriminals, it seems that many MSPs clearly believe they cannot afford to be unprepared. With 69 per cent already breached multiple times in a single year and AI accelerating the scale and complexity of attacks, the temptation to hold a contingency reserve is understandable. However, this pragmatic stance may also entrench the very business model that governments and law enforcement are working hard to dismantle.

The UK’s proposed ransomware payment ban for public bodies and CNI highlights just how far official thinking has moved towards systemic deterrence. However, the exclusion of private businesses from that ban, and the option for them to pay under notification, risks creating an uneven response that may ultimately frustrate enforcement and dilute its impact. As Jamie MacColl pointed out, most ransomware gangs operate opportunistically and will not necessarily distinguish between regulated and unregulated targets. This raises questions about whether partial bans can realistically alter attacker behaviour.

For UK businesses, especially SMEs dependent on MSPs for protection, the findings raise difficult questions. For example, while many providers are making serious investments in tools, people, and compliance, others are still relying on reactive strategies that may offer short-term cover but little long-term assurance. The increasing scrutiny on MSPs is likely to intensify, particularly as clients seek partners who are both cyber confident and operationally transparent. Businesses must now evaluate not only whether their MSP has a ransomware plan, but also whether that plan reflects best practice or a compromise born of confusion.

For regulators, the lack of clarity and consistency around ransomware responses remains a core problem. Guidance alone is proving insufficient. A broader and more unified framework, alongside mandatory reporting, may be needed to help ensure MSPs, their clients, and their insurers are working from the same playbook. For now, the reliance on private ransomware funds points to a cyber landscape still dominated by tactical survival rather than strategic coordination.

WhatsApp has been denied permission to join a major legal challenge over UK government demands for access to encrypted data, as a special tribunal confirms a seven-day public hearing will go ahead in 2026.

WhatsApp Shut Out of High-Stakes Encryption Fight

The Investigatory Powers Tribunal (IPT), which hears complaints about UK surveillance and investigatory powers, has rejected an application by WhatsApp to intervene in two linked legal challenges over the use of secret government powers to weaken encryption.

The challenges stem from a reported Technical Capability Notice (TCN) issued by the Home Office in January 2025. Under the UK’s Investigatory Powers Act, a TCN can compel a company to build or alter technology to ensure it can be accessed by government agencies under lawful authority.

In this case, the order reportedly demanded that Apple provide access to encrypted user data stored globally on its iCloud platform, including material protected by its Advanced Data Protection (ADP) service.

Apple responded in February by withdrawing the ADP feature from UK users, publicly stating that it would never build “a backdoor or master key” into its products. The move drew attention on both sides of the Atlantic, triggering concerns in the US about the implications for American users and businesses.

In March, Privacy International, Liberty, and two individual claimants filed a legal challenge to the secrecy and legality of the Home Office’s reported actions. Apple launched its own legal case in parallel.

Then, in April, the Home Office attempted to argue that the full case should be heard behind closed doors. This was rejected by the IPT following objections from ten media organisations. The tribunal opted instead for a novel legal approach which was to proceed on the basis of “assumed facts”, allowing as much of the hearing as possible to be held in public while preserving the government’s right to “neither confirm nor deny” the existence of the order.

WhatsApp applied to intervene in both cases in June, citing the risk of a precedent that could erode the encryption protections used by billions of people. However, on 23 July, the Tribunal refused the application. A seven-day public hearing will now go ahead in early 2026, combining Apple’s case and the Privacy International-led challenge.

A Public Hearing, But Based on Assumed Facts

Although much of the government’s activities around encryption remain secret, the IPT has ruled that the bulk of Apple’s and Privacy International’s legal arguments will be heard in open court at a seven-day hearing, now scheduled for early 2026.

In a bid to balance transparency with national security, the tribunal will proceed on the basis of “assumed facts” rather than actual confirmation of the Home Office’s reported order. The government will be permitted to maintain its official “neither confirm nor deny” (NCND) position on the existence of the TCN, even though details have been widely leaked and reported.

Why?

It seems that this approach allows both Apple’s and Privacy International’s legal arguments to be made in public, without requiring sensitive details to be aired in a closed court. The IPT had previously rejected attempts by the Home Office to keep the entire case behind closed doors, following objections from a coalition of media outlets including the BBC, The Guardian and Computer Weekly.

A Frustrated WhatsApp Pushes Back

WhatsApp expressed clear frustration at the decision to exclude it from proceedings. CEO Will Cathcart previously submitted written evidence raising concerns that the UK order sets “a dangerous precedent for security technologies that protect users around the world”.

Cathcart stated: “We’ve applied to intervene in this case to protect people’s privacy globally. Liberal democracies should want the best security for their citizens. Instead, the UK is doing the opposite through a secret order.”

Following the ruling, a WhatsApp spokesperson added: “This is deeply disappointing, particularly as the UK’s attempt to break encryption continues to be shrouded in layers of secrecy. We will continue to stand up to governments that try to weaken the encryption that protects people’s private communication.”

The company has repeatedly warned that mandating backdoors, i.e. ways for governments to access encrypted systems, would compromise security not just for criminals, but for all users, exposing communications to cybercriminals and hostile states.

Apple Takes a Stand (And a Step Back)

Apple has also taken a firm stance against the Home Office’s demands. For example, in February 2025, it withdrew its Advanced Data Protection (ADP) service from UK customers, rather than comply with the TCN’s reported requirements.

ADP enables users to encrypt their iCloud backups using end-to-end encryption, meaning not even Apple can access the data. The feature remains available in other countries.

In a statement at the time, Apple said: “As we have said many times before, we have never built a backdoor or master key to any of our products or services, and we never will.”

Apple’s legal challenge is separate from the civil liberties group case, but will be heard during the same week as part of the IPT’s coordinated hearing.

Why This Matters and What’s at Stake

The case matters because it has significant implications for privacy, national security, and the power of democratic oversight. At its heart is a tension between the UK government’s claim that it must access encrypted data to fight terrorism and child abuse, and the tech industry’s position that weakening encryption threatens the security of everyone.

Technical Capability Notices, while rarely discussed in public, give the Home Office power to compel companies to make their systems interceptable. This can include designing or modifying services to allow for lawful access, which is something encryption advocates have long argued is incompatible with true end-to-end encryption.

Smokescreen?

Campaigners such as Privacy International argue that the UK is using national security as a “smokescreen” to bypass proper scrutiny and safeguards. Legal Director Caroline Wilson Palow criticised the government’s NCND stance, saying: “We are being forced to sustain the fiction that the order does not exist, which may hinder our ability to grapple fully with its legal ramifications.”

Privacy International’s challenge also questions the lawfulness and necessity of the regime underpinning TCNs, including whether they are being used proportionately and with sufficient parliamentary oversight.

International Repercussions and Political Fallout

It seems that the Home Office’s efforts have not only raised legal alarms but have also sparked diplomatic tensions. For example, the Financial Times recently reported that UK officials are now exploring ways to de-escalate the row with the US government, which sees the order against Apple as a breach of sovereignty.

US President Donald Trump and Director of National Intelligence Tulsi Gabbard have both condemned the UK’s actions, warning that attempts to access the encrypted data of US citizens could be considered a hostile act.

Gabbard described the move as “a clear and egregious violation”, and there have been calls in Washington for changes to the US CLOUD Act to limit the extraterritorial reach of UK orders.

What Comes Next?

The Tribunal’s case management order paves the way for a high-profile legal test in early 2026. The hearing is expected to include arguments on the legal limits of the UK’s investigatory powers, the technological realities of encryption, and whether governments can compel private firms to compromise the security of their own systems.

The hearing’s outcome may shape the future of encrypted communications not only in the UK, but globally. If the IPT upholds the TCN, it could embolden similar efforts in other jurisdictions. If it rules in favour of Apple and Privacy International, it could reinforce legal limits on surveillance powers.

While WhatsApp is now shut out of this phase of the process, the company and others offering secure communications are likely to keep pushing back, through lobbying, public advocacy, and possibly future legal action. For businesses and consumers relying on encrypted services to protect sensitive data, the stakes are high.

What Does This Mean For Your Business?

The hearing will be closely watched by UK businesses that rely on cloud services, secure messaging, and encrypted backups to safeguard client data and protect against cyber threats. If the government’s approach is upheld, it could signal the start of broader obligations on tech providers to ensure government access by design. That would pose real concerns for sectors handling sensitive information, including finance, legal services, healthcare and defence, where robust end-to-end encryption is often a regulatory or contractual expectation.

Although the Home Office claims such powers are essential for national security and criminal investigations, many critics argue (and have long done so) that the very existence of compelled access could weaken the technical integrity of services relied on by billions of people. From a commercial perspective, compliance with such orders may require re-engineering platforms, reducing user trust, or even withdrawing features entirely, as Apple has already done. For global technology firms operating in the UK, the outcome of this case could determine whether the market remains viable under increasingly intrusive obligations.

WhatsApp’s exclusion also raises questions about who gets to speak for encryption. As the leading end-to-end messaging platform, its technical perspective and global footprint might reasonably have added weight to the Tribunal’s understanding of broader risks. Its absence means the court will hear arguments from campaigners and Apple alone, but the ruling will likely affect a much wider community of providers, developers and users.

The Tribunal’s decision to hold a mostly open hearing is a rare opportunity for meaningful legal and public scrutiny of the UK’s approach to encrypted data. However, the reliance on “assumed facts” and continued insistence on neither confirming nor denying the order’s existence means that transparency will remain partial. For those on all sides of the encryption debate, that balancing act between openness and secrecy is likely to remain a defining feature of the months ahead.

The UK has switched on its most powerful supercomputer to date, Isambard-AI, a machine purpose-built for artificial intelligence research that now ranks 11th globally in the TOP500 list.

A Major Leap in UK Computing Power

Isambard-AI was officially launched in mid-July at the University of Bristol, marking a significant milestone in the UK’s push to become a global leader in AI and high-performance computing (HPC). Developed by Hewlett Packard Enterprise (HPE) using its advanced Cray EX architecture, the system is powered by more than 5,400 NVIDIA GH200 Grace Hopper Superchips and is housed within the Bristol Centre for Supercomputing.

Its raw computing performance reaches 216.5 petaflops, with a peak theoretical output of 278.6 petaflops. For comparison, one petaflop equals one quadrillion (that’s 1,000,000,000,000,000) calculations per second … i.e a million billion! To put that in context, Isambard-AI is over ten times more powerful than the UK’s next-fastest system, London’s Njoerd supercluster.

Also, this new machine is not just the fastest in the country, but also ranks sixth in Europe and is currently the fourth greenest supercomputer in the world, according to the Green500 sustainability rankings.

What Exactly Is a Supercomputer?

Supercomputers are specialised computing systems built to process enormous quantities of data at extremely high speed. Unlike everyday computers, which typically operate using a handful of processing cores, supercomputers use thousands, or in Isambard-AI’s case, tens of thousands, to perform vast numbers of calculations in parallel. This makes them indispensable for complex simulations, deep learning models, and data-heavy scientific research.

Isambard-AI is part of the UK’s Artificial Intelligence Research Resource (AIRR), a national programme aimed at making cutting-edge computing capacity available to public researchers and innovators. This includes major UK universities, startups, and even NHS-linked projects.

Built for AI But Designed for More

Although it has been purpose-built with AI workloads in mind, Isambard-AI is also designed to accelerate scientific discovery across a range of domains. For example, early projects already underway include helping researchers at University College London develop faster, more accurate prostate cancer detection systems, and assisting scientists at Liverpool in the discovery of greener, more sustainable industrial materials.

Isambard-AI is also expected to play a role in climate modelling, vaccine research, and training of large language models (LLMs), which require substantial computational resources. These capabilities align with the government’s broader ambitions to use AI to tackle national challenges, such as reducing NHS waiting times and supporting energy transition goals.

Peter Kyle, the UK’s Secretary of State for Science, Innovation and Technology, described the supercomputer as a catalyst for national progress: “Today we put the most powerful computer system in the country into the hands of British researchers and entrepreneurs… It will propel the UK to the forefront of AI discovery.”

Bristol at the Centre of UK Supercomputing

Isambard-AI is hosted at the National Composites Centre near Bristol, a strategic choice given the University of Bristol’s long-standing leadership in high-performance computing and AI research. The supercomputer’s name Isambard also comes from Isambard Kingdom Brunel, the pioneering Victorian engineer whose legacy is deeply tied to Bristol through landmark projects like the Clifton Suspension Bridge and the Great Western Railway.

The university already operates another major system, Isambard 3, a CPU-based machine aimed at traditional scientific modelling. Together, the two systems provide an integrated platform for advanced research, all with an eye toward sustainability.

According to Professor Simon McIntosh-Smith, Director of the Bristol Centre for Supercomputing, “We built Isambard-AI to serve the UK research community and help solve some of the world’s toughest problems. Seeing it recognised among the world’s best is a real testament to what’s possible when brilliant people come together with a shared vision.”

He also noted the importance of partnerships in realising the project, thanking contributors including HPE, NVIDIA, Arm, DSIT, UKRI, and STFC.

Where It Ranks Globally And Why That Matters

In the June 2025 TOP500 rankings, an internationally respected benchmark for supercomputers, Isambard-AI entered the list at number 11, placing the UK firmly back on the global HPC map.

At the top of the list is El Capitan, a US-based machine boasting an actual performance of 1,742 petaflops. Other American systems, Frontier and Aurora, rank second and third respectively, both operating at the exascale level, a threshold defined as at least 1,000 petaflops. These machines are considerably more powerful, but also reflect much higher investment levels and longer development cycles.

Europe’s top contender, Germany’s JUPITER Booster, ranks fourth, while Italy’s HPC6 (6th) and Leonardo (10th), Switzerland’s Alps (8th), and Finland’s LUMI (9th) also sit in the top 10. Isambard-AI’s arrival just outside this elite group is still a substantial leap for the UK, which in recent years had slipped behind in HPC capacity.

Its global position also supports the UK’s industrial ambition. For example, as the government stated in its July announcement, the goal is not merely to use AI technologies but to become an “AI maker rather than an AI taker”.

A Publicly Funded, Open Access System

The development of Isambard-AI was funded through a £225 million government investment, part of a wider strategy to create national infrastructure for emerging technologies. The system is built to be open-access, meaning academic researchers, public institutions, and SMEs across the UK can apply for use, thereby potentially democratising access to otherwise inaccessible computing power.

Will Work With Dawn

Isambard-AI will work in tandem with Dawn, another AI-focused machine based at the University of Cambridge, though the systems are not physically connected. Both form the initial backbone of the UK’s AIRR initiative, which aims to expand computing resources twenty-fold over the next five years.

Alongside this, the government is investing in skills development, pledging to train 1 million students and 7.5 million adults in AI-related skills in the coming years.

Challenges, Costs and Competition

Despite the achievement, Isambard-AI is not without its challenges. For example, one significant concern is energy use. Supercomputers are notoriously power-hungry, and although Isambard-AI ranks highly for energy efficiency, its environmental impact is still non-trivial. Liquid cooling systems and heat recovery features help mitigate this, but the issue remains a live one, especially as public scrutiny of AI’s environmental footprint increases.

There are also questions about how effectively such a system can be accessed and utilised outside of academia. While the machine is open to UK researchers, some have warned that access processes can be bureaucratic or overly restrictive, potentially limiting SME and startup engagement.

Another challenge lies in keeping pace with international rivals. Although Isambard-AI is the UK’s most powerful supercomputer today, its time at the top may be brief. A £750 million investment in a future exascale system in Edinburgh has already been announced — one that could launch later this decade and potentially place the UK within the top five globally.

David Hogan, NVIDIA’s European Vice President, described Isambard-AI as “a truly transformational machine”, but acknowledged that this is “just a starting point”. For Britain to retain its momentum in AI and supercomputing, further investment, collaboration and long-term strategy will be essential.

What Does This Mean For Your Business?

Looking ahead, the arrival of Isambard-AI marks a critical inflection point in the UK’s scientific and technological capabilities. With serious backing from government and academia, it gives British researchers and developers access to one of the most powerful computing tools currently available anywhere in the world. That matters not just for scientific prestige, but for practical impact. From accelerating cancer diagnostics to designing greener materials, this machine is already being used to tackle problems with far-reaching consequences.

For UK businesses, particularly in life sciences, clean tech, and AI development, the launch could lower the barriers to entry for high-performance computing. By offering open access through the national AI Research Resource, smaller firms and startups may gain capabilities previously reserved for large institutions or well-funded labs. If the system is made genuinely accessible in practice as well as in principle, it could give British tech innovators a competitive edge in a global market that increasingly depends on large-scale compute.

At the same time, the launch sends a clear signal internationally. After years of falling behind in supercomputing capacity, the UK is now back in contention. Although it still lags behind US and some European systems in raw performance, Isambard-AI has vaulted the UK into the top tier of AI infrastructure providers. The challenge now will be maintaining that momentum. With a more powerful exascale machine already planned in Edinburgh, the question will not just be how fast these systems are, but how effectively they are integrated into wider research and commercial ecosystems.

Isambard-AI shows what’s possible when public investment, private expertise and academic leadership align around a shared goal. The task now is to ensure it delivers not just world-class performance, but world-class value.

Dutch file-sharing platform WeTransfer has sparked uproar after quietly adding language to its terms of service suggesting it could use customer files to train AI models, then swiftly removing the clause following backlash.

What Users Spotted and Why It Sparked Alarm

The controversy erupted in mid-July when eagle-eyed WeTransfer users, including high-profile creatives, flagged an update to the company’s terms of service set to take effect on 8 August 2025. In particular, Section 6.3 introduced wording that granted WeTransfer a “perpetual, worldwide, non-exclusive, royalty-free, transferable, sub-licensable licence” to use uploaded files for operating and developing the service, including, crucially, to “improve performance of machine learning models that enhance our content moderation process.”

To many, that appeared to signal a quiet expansion of rights that could allow WeTransfer to use (or even monetise) user-uploaded content for artificial intelligence (AI) training.

Among the concerned voices was UK children’s author and illustrator Sarah McIntyre, who took to X (formerly Twitter) to say: “I pay you to shift my big artwork files. I DON’T pay you to have the right to use them to train AI or print, sell and distribute my artwork and set yourself up as a commercial rival to me.”

It seems that such concerns weren’t unfounded. The clause appeared to echo patterns seen elsewhere in the tech world, where companies including Zoom, Adobe, Slack and Dropbox have faced recent backlash over vague or overly broad licensing updates connected to AI development. As AI tools become more powerful and accessible, the question of whose data fuels them, and with what consent, has become a flashpoint in digital rights and trust.

Why This Matters for Business Users

For many creatives and businesses, WeTransfer has long positioned itself as a privacy-respecting, user-friendly alternative to more data-hungry services. Its clean interface, strong brand identity, and explicit support for the creative industries made it especially popular with freelancers, studios, and design teams.

However, as a result of this latest incident, that trust now appears to be under scrutiny. If the AI clause had remained, businesses could have faced the uncomfortable possibility that internal documents, pitch decks, drafts, artwork, or sensitive visual assets might be used, not just to train algorithms, but potentially to inform systems well beyond the original upload. Even if restricted to content moderation purposes, the lack of clarity raised red flags.

For example, a design agency transferring client work via WeTransfer might wonder whether its bespoke assets could end up being parsed for machine learning, however indirectly. A photographer might fear her original image files could be used to train image recognition or generation tools. And a marketing firm sharing early brand materials might question what “derivative works” could technically include.

Although WeTransfer insists that no such usage has occurred, the lack of clear technical limitations in the original clause left too much room for doubt.

WeTransfer’s Response

Within days of the backlash, WeTransfer issued a formal press release clarifying its position. It insisted that the controversial clause was a misstep and that the company does “not use user content to train AI models, nor do we sell or share files with third parties.” The company acknowledged that AI had been under consideration “to improve content moderation,” but confirmed that “such a feature hasn’t been built or deployed in practice.”

The statement added: “We’ve since updated the terms further to make them easier to understand. We’ve also removed the mention of machine learning, as it’s not something WeTransfer uses in connection with customer content and may have caused some apprehension.”

Clause Now Dropped

Following the uproar, it seems that, in an updated version of Section 6.3, the AI-related clause was dropped entirely. For example, the new text grants WeTransfer a royalty-free licence to use content strictly for “operating, developing, and improving the Service, all in accordance with our Privacy & Cookie Policy.” Importantly, it reinforces that users retain ownership and intellectual property rights over their content, and that processing complies with GDPR and other privacy regulations.

What’s Changed and What Hasn’t?

From a legal perspective, WeTransfer’s licensing terms weren’t entirely new. Earlier terms already included broad usage rights necessary to operate the service, such as the ability to scan, index, and reproduce files. However, the new inclusion of AI-specific language, especially amid public concern about AI and data usage, introduced a new level of perceived risk.

As the company explained: “The language regarding licensing didn’t actually change in substance compared to the previous Terms of Service… The change in wording was meant to simplify the terms while ensuring our customers can enjoy WeTransfer’s features and services as they were built to be used.”

Nonetheless, perception matters. For example, the way the AI clause was introduced, without technical limitations, public explanation, or opt-out options, appeared to really undermine confidence at a time when many businesses are increasingly sensitive to data governance.

Broader Industry Fallout and Lessons for Tech Providers

WeTransfer is far from alone in facing scrutiny over AI terms. For example, back in 2023, Zoom had to walk back similar policy updates after suggesting it could use customer audio and video to train its AI models. Dropbox, Slack, and Adobe have all been forced to issue clarifications in recent months after terms of service changes sparked similar fears.

For regulators, the episode highlights ongoing gaps in user protection. In the UK, the ICO (Information Commissioner’s Office) has warned companies that AI development must respect explicit consent, clarity of purpose, and data minimisation, all of which could come under strain when licensing terms are broadly written.

For businesses, the incident is a reminder to read the fine print, especially as more cloud services evolve their models to incorporate generative AI, content filtering, and user analytics.

As an example, a marketing team using file-sharing services or cloud-based creative tools should now routinely assess licensing clauses for AI-related language, even if those features are not currently in use. Procurement teams may also need to establish red lines around AI usage to safeguard proprietary material.

Trust Takes Time to Build And Moments to Erode

Despite WeTransfer’s efforts to clarify and course-correct, replies on social media appear to remain largely sceptical. Some users have suggested the company had been testing the waters for broader AI permissions, only to retreat when the backlash hit. Others have expressed a desire to move to alternatives, such as Swiss-based Tresorit or Proton Drive, that offer end-to-end encryption and stronger privacy guarantees.

While WeTransfer may weather the storm, the event highlights a wider issue for the tech industry, i.e., transparency around AI is no longer optional. As public awareness of AI training practices grows, even small wording changes can trigger major reputational fallout. And for companies built on the trust of creative professionals, that risk is especially acute.

What Does This Mean For Your Business?

For UK businesses and creative professionals in particular, this episode serves as a clear warning that assumptions about how cloud-based platforms handle data can no longer be taken at face value. The practical risk may have been limited in this instance, but the reputational impact is real, and the consequences of poor communication are hard to reverse. For companies that regularly transfer visual, written, or proprietary material via WeTransfer or similar services, it may prompt a review not only of terms and conditions, but of where and how sensitive files are shared in future.

For WeTransfer, the timing could hardly be worse. As demand grows for privacy-conscious alternatives in an AI-saturated market, any perception of blurred boundaries risks handing competitive advantage to rivals positioning themselves as more transparent or security-first. Providers such as Proton Drive, Filestage and Internxt are already responding to this shift, actively marketing their commitment to zero-knowledge infrastructure and end-to-end encryption.

Regulators and legal teams are also likely to be watching closely. The blurred line between operational necessity and expansive licensing is fast becoming a regulatory priority. In the UK, organisations working in regulated sectors, such as legal, health or financial services, may find that contract terms involving generative AI now trigger enhanced scrutiny from internal compliance and external auditors alike.

The broader takeaway from this story is that, as AI becomes more embedded in the digital infrastructure businesses rely on, consent must be granular, wording must be clear, and trust must be continually earned. WeTransfer’s quick backtrack may limit the immediate fallout, but it will likely be remembered as yet another sign of how easily tech companies can alienate users when they fail to communicate transparently, especially when the stakes involve creative ownership, client confidentiality, and commercial value.