#CyberWeekly

Last week was NIS2 D-Day. This week we shipped the tool for what comes next: Audit Readiness now has a Snapshot + History view, so you can capture your compliance state at any moment and see exactly how it evolves over time. And all four CyFun tiers — Small, Basic, Important, Essential — are now live end-to-end in Dutch, French and English.

• Audit Readiness Snapshot + History: one click freezes your current readiness state (scores, gaps, evidence coverage) as a dated snapshot. History view lines up every snapshot on a timeline, so you can prove to an auditor that your maturity scores are climbing, not just that they exist today
• Control Health — one unified view: we merged Audit Readiness and Maturity into a single Control Health surface. Less tab-hopping, one place to see whether a control has documentation, implementation evidence, and the right maturity score. Deep links between tabs preserve scroll and highlight the row you came from
• Four CyFun tiers, complete: Important (132 controls) and Essential are now fully localised — Dutch and French translations for every control description, finding and action templates for each tier, CCB-scoped export that ships only the tier you actually need
• Client-centric Roadmap: the dashboard now computes a deterministic "next step" for every client, so an MSP partner opening a client's workspace sees exactly what to work on first — no scrolling, no guessing
• AI evidence rubric: TARS, our document assistant, now refuses to hand out passing scores for policy-only evidence. If a control needs both a documented procedure and proof that it runs in practice, TARS will tell you which half is missing

If you are an MSP onboarding a new client, the flow now reads: pick their CyFun tier, auto-provision the workspace, snapshot day-one readiness, then work through the deterministic next-step queue. When the auditor asks "how did you get here?", History is the answer. See the four CyFun levels explained, or the NIS2 audit guide.

Within five days, two Belgian local governments showed exactly how different the outcome of a cyber incident can be. Temse (East Flanders, ~30,000 residents) caught a suspicious tool on its servers before anything was stolen. Anderlues (Hainaut, ~12,000 residents) turned up on the TheGentlemen ransomware leak site.

• Temse — prevention playbook: IT staff spotted unauthorised remote-monitoring software on municipal servers April 16, pulled services offline, called in the CCB and Polis. By April 21 the CCB confirmed no data leaked. Full services back April 23
• Anderlues — the leak-site way: on April 20 TheGentlemen ransomware group added Anderlues to its dark-web victim list. The municipality confirmed an incident to RTBF. Citizens still rely on anderlues.be for permits and e-guichet
• The pattern: small and mid-size gemeentes are 2026's soft target — limited staff, limited budget, services that must stay open. The difference between a two-day disruption and a months-long recovery is almost always time to detection
• TheGentlemen context: Checkpoint Research published a full DFIR writeup of the group this week, including the SystemBC backdoor they chain with

If you are an MSP serving local government or any public-sector client, the lesson is blunt: monitoring that fires on unfamiliar remote-access tools is worth more than a thick policy binder. See our ransomware basics and the incident response guide for a checklist that would have produced a Temse outcome, not an Anderlues one.

On April 21 a seller calling himself "Jeffrey Epstein" listed 400,000 Bol.com customer records on a crime forum for 100 euro. Dutch and Belgian media ran the story. Within 48 hours, researchers had proven the database was a fake — stitched together from an older unrelated breach and padded out with AI-generated rows. Bol confirmed there was no incident, no hack, no ransomware.

• What gave it away: sample records contained the kind of too-neat patterns that large language models produce when asked to invent names, addresses and order data. Pricing at 100 euro for 400K records is also suspiciously cheap for a genuine fresh dump
• The new trick: fabricate a breach, seed it on a forum, let the news cycle run, then extort the brand's reputation. Even a denial costs PR time. Several Belgian outlets ran the original claim before retractions caught up
• Incident response implication: your playbook has to include "validate the claim before denying" as a first step. Denying too fast on bad data is almost as damaging as confirming too fast. Both cost trust
• Who else to watch for: RetailDetail is calling this a new cybercrime trend — expect more AI-padded datasets attributed to household-name retailers. Banks, telcos and utilities are the obvious next targets

For MSPs: this is a client-communication story more than a technical one. Your clients will see a "breach" headline and panic. The right response is structured triage — is the sample real, does the schema match our data, do the emails exist in our CRM? Our phishing awareness guide now has a section on reputational-attack playbooks too.

The CCB published a Yellow/High advisory on April 17 for CVE-2026-20184, a critical certificate-validation flaw in Cisco Webex Control Hub and SSO integrations. Rated CVSS 9.8, it lets an unauthenticated remote attacker forge a SAML assertion and impersonate any Webex user — including admins.

• Who is affected: any organisation running Webex with SAML-based SSO (so, most Webex-at-work deployments). Belgian SMEs and MSPs with mixed Teams + Webex environments should treat this as urgent
• What to do today: install the Cisco patch, then re-upload your SAML certificate in Control Hub to invalidate any pre-patch sessions. Review Webex admin audit logs for unusual SSO events since mid-March
• Why it matters: an attacker who impersonates a Webex admin can add mailboxes, change meeting controls, or pivot into connected M365 tenants. SSO flaws never stay scoped to one product

The CCB advisories feed is worth a weekly skim even if you outsource patching. See the patch-management guide — "patch fast, patch together" works better than "wait for the window."