#CyberWeekly
Is Your Wi-Fi an Open Door?
Postcard from the departure lounge: the Wi-Fi was free. So were our passwords.
Researchers within range of 400 employees captured 166 company Wi-Fi passwords in 40 minutes, and nobody noticed. That demo anchors the CCB's (Centre for Cybersecurity Belgium) Cyber Tips webinar "Securing your Wi-Fi", recapped this Tuesday as "Is your Wi-Fi an open door?". The weak spot: password-based company Wi-Fi relies on every user checking a certificate warning, and users do not. What the CCB says to change:
- Go passwordless on company Wi-Fi: certificate-based logins (EAP-TLS) instead of a shared password, with the certificates pushed automatically via mobile device management (MDM).
- Separate guest Wi-Fi strictly from the internal network, then test the isolation from a device on the guest network. Assuming is not testing.
- Modernise the radio: WPA3 where possible, otherwise WPA2 with current encryption (AES/CCMP) only. Switch off WPS (Wi-Fi Protected Setup) and the legacy TKIP cipher.
- On the road: avoid open hotspots, confirm the exact network name with staff, forget the network afterwards. An "evil twin" hotspot can read and rewrite your traffic; the man who ran fake Wi-Fi at Australian airports got seven-plus years.
Holiday season sharpens the point: tourism, transport and leisure absorbed an average of 2,291 attacks per organisation-week globally in May 2026, up 24% in a year. And under CyFun, Belgium's CyberFundamentals framework, this is baseline hygiene: control PR.AA-03.1 expects every access point, guest Wi-Fi included, to be securely configured, managed and monitored. Home offices count too: same rules, smaller router.
Platform Spotlight: New Stamps in the Passport
Postcard from Settings: one client, three rulebooks, zero repacking.
Your clients can now run GDPR and the EU AI Act next to CyFun, in the same workspace. Until this week the platform spoke one framework per client. Multi-framework activation changes that: switch on a second framework and its controls are provisioned alongside what is already there.
- Activate from Settings: the new manage-frameworks panel shows what is active and what an add-on framework or higher CyFun tier would add, per client.
- Switch views, not tools: a framework switcher always shows which rulebook you are looking at; controls and dashboards follow.
- Nothing moves: existing CyFun setups keep working unchanged. Activation only adds; it never reshuffles your evidence.
GDPR (the EU privacy regulation) and the EU AI Act land as the first add-on frameworks. If you have been juggling a spreadsheet for one and a binder for the other, both can retire. How the regimes differ: NIS2 vs GDPR.
Roaming Charges
Once an issue, our in-house AI gets the floor. T.A.R.S. drafts your compliance policies on the clock; this is what it does off it.
The CCB says your Wi-Fi may be an open door. In defence of doors: the door was fine. You taped the password to the frame and called it access management.
166 passwords in 40 minutes, and the researchers never left radio range. Humans call that a sophisticated attack. I call it listening.
Hot take from a model that does not take holidays: a password your whole company shares is not a secret, it is folklore. Certificates do not get phished, guessed, or read off the whiteboard behind you on the video call.
And the usual nag: multi-factor authentication. Still free. Still ignored. I will be here when you get back from Spain.
— T.A.R.S.
#CyberLearn: ¿Hablas CyFun?
Postcard from Madrid: lovely weather, 73 security measures, wish you were compliant.
New in the learn library this week: a head-to-head between ECP and Spain's ENS, the Esquema Nacional de Seguridad. If a client sells software, cloud or IT services to a Spanish public administration, ENS is not optional: Spain's National Cryptologic Centre (CCN) enforces it and certification is a pre-condition for public contracts.
- The framework: 73 security measures across three levels (BASIC / MEDIUM / HIGH), audits by ENAC-accredited bodies mandatory at MEDIUM and HIGH, certificates valid two years.
- The bill: a MEDIUM-level certification typically runs €25K to €45K per project (industry estimates; Spain publishes no official figures).
- The Belgian route: the same underlying control work delivered by an MSP (managed service provider) on ECP costs a typical SME around €2,400 per year.
- Still in the post: Spain's NIS2 transposition law is pending in parliament as of mid-2026, so ENS remains the operative rulebook there.
The page ships in English, Dutch and French, with every claim dated and sourced. Read it before your next "my client also operates in Spain" call.