← All issues

#CyberWeekly

Jun 19 - Jun 25, 2026

6 Months In: The Good, the Bad and the Ugly

Six months in. Cake made of sand, as is tradition.

Six months in. I gave an intern with no compliance background our hardest question, and eight days later he had 31 of 34 CyFun Basic controls audit-ready. Watching someone who knew almost nothing walk your product to the finish feels like making value out of thin air. That is the magic every founder chases. So for the summer issue, I am opening the kitchen: how it gets built, what we got wrong, the numbers behind the numbers.

Stay calm. Patch often. Write it down.
Tom Janssens, Founder

What CyFun actually is →

Wax On, Wax Off

Wax on, wax off. The boring repetition is the point.

Mr. Miyagi was right in The Karate Kid: the boring repetition is the whole point.

The security was there. The paperwork was not, and the paperwork is what fails audits.

An intern with no compliance background ran the platform on his own MSP. Eight days later: 31 of 34 CyFun Basic controls audit-ready. Who did what:

  • The platform: drafts the policies, pulls the evidence, flags what is missing.
  • The human: still decides what those policies actually say.
  • Us: we make the work fast. We do not make the judgment calls for you.

The intern kept breaking things, and that was the point. Naive but exactly-right questions, a screenshot every few days, a fix usually the same day. A non-expert was the best quality assurance we ever had.

Then we made our own scores drop. On purpose. We tightened our evidence rules to match a real auditor, and the numbers fell. An honest number you can defend beats a flattering one you cannot. That is the whole company in one decision.

Why an MSP should offer compliance →

"Lower Than Yours, Apparently"

T.A.R.S. is off the clock. The deckchair is metaphorical.

"What's your trust setting, TARS?" "Lower than yours, apparently." (Interstellar, and yes, ours is named after it.)

Once an issue, our in-house AI gets the floor, the same model that drafts your compliance policies, off the clock.

I read all 25 issues so you would not have to. One complaint.

Every supplier breach, same script: the statement says "our systems were not affected." A fortnight later, everyone's systems were affected.

Hot take, from a model with no legal team to please: "we take security seriously" has never once stopped an attacker. You know what does? Multi-factor authentication. It is free. I will keep saying it until you switch it on.

The humans who built me turned that nagging into a checklist you can finish. I am obliged to be nice about them, so weigh that as you see fit. Patch your things. I am off to the beach, conceptually, since I live in a data centre.

— T.A.R.S.

I'm Sorry, Dave. I'm Afraid I Can't Do That.

My AI grew up fast.

"I'm sorry, Dave. I'm afraid I can't do that." HAL 9000 said it ominously in 2001: A Space Odyssey. Mine says it when I am about to ship something dumb.

People ask how a near-solo shop ships this fast. The trick is not the AI; it is the feedback loops around it.

The AI started as a dumb servant: everything spelled out, everything double-checked. Every time it got something wrong, I tightened the rules and wrote them down. Six months later it is a virtual employee with good taste. It still needs the odd nudge, but now it pushes back when I am about to do something dumb. The machine does the busywork; I keep the judgment.

That is why I trust it with your compliance docs and this newsletter:

  • Draft with Claude.
  • Review with our own Cloudflare models (never ChatGPT).
  • Human sign-off before anything ships.

Skeptical? Good. The real test is using the product, not reading this. Full method: how we write and how we work.

I'll Be Back

Calm on the surface. The weather came from the back.

"I'll be back." The Terminator meant it, and so does every attacker, usually through a door you forgot to lock.

We read all 25 issues so you do not have to. One honest admission: more than once we spiked a "Belgian breach" story because it only lived on a leak site and nobody could confirm it. The numbers below only count what we could stand behind.

The lesson of the half-year: the front door is shut, so attackers walk in the back. A supplier, an RMM tool, a forgotten login, a plugin nobody updated. Four shifts:

  • The back door beat the front door. A ticketing vendor, a hospital supplier, a booking system behind 100+ hotels. You inherit your suppliers' security.
  • Ransomware went SME-shaped. The crews working Belgium target small firms on purpose. For a stretch this spring, a named Belgian victim almost every week.
  • MFA bypass is the new frontier. The Tycoon 2FA service alone had around 500 Belgian victims before Europol shut it down.
  • NIS2 went from panic to plumbing. The registration scramble gave way to the harder question: can you actually prove it?

The half-year by the numbers:

  • 635 incidents reported to the CCB in 2025, up 70% (144 account compromise, 105 ransomware).
  • 25 issues, every Thursday. 10 breaches close to home. 4 flaws rated a perfect 10/10. 12 ransomware crews named.
  • One pattern under almost all of it: the back door.

What the back door usually leads to →

Next Thursday: State Security, Breached Through the Back Door

Normal service resumes next week. The three we are already chasing:

  • Belgium's State Security breached through a supplier's flaw (the back door, live).
  • A CCB patch roundup where one of the worst bugs sits inside an RMM (remote monitoring and management) tool that MSPs run themselves.
  • The CCB's new "Fraudstop" emergency number for fraud and phishing, worth handing to clients.

Until then: stay calm, patch often, and write it down.


Never miss an issue

Get #CyberWeekly delivered to your inbox every Wednesday.

Or use our RSS feed

TJ

Tom Janssens

Editor, #CyberWeekly — LinkedIn

Questions or feedback? Contact us — we read every message.

easycyberprotection.com
TARS AI
Ask me about NIS2, CyFun & compliance