#CyberWeekly

If Google's artificial intelligence (AI) summary tells the world your company is a scam, that is now Google's problem, not just yours. The Regional Court of Munich ruled that AI Overviews, the AI answers above search results, are Google's own content, and granted an injunction after two Munich publishers were falsely linked to scams and dubious business practices.

• What the court said: the AI made claims "that are not even made in the search results", so the traditional search-engine liability shield does not apply. Google's defence that users could check the links themselves was rejected
• Where it stands: the decision is dated 28 May and became public this week. It is a preliminary injunction, so an appeal is still possible, and Google was ordered to carry 80 percent of the costs
• Why it matters for you: small firms live and die by what search says about them. If an AI summary misdescribes your business, there is now a legal lever in the European Union, not just a feedback button
• The flip side: the same logic lands on you. Content your business generates with AI is your own words in the eyes of a court, whoever wrote the prompt

AI that confidently states things nobody actually wrote is exactly the failure mode we cover in our guide to AI threats. Worth a read before your customers, or a judge, read the output for you.

"We have a config snapshot" is not the same as "we have a config snapshot for these 13 laptops". This week the platform learned the difference: every piece of evidence can now carry a precise scope, and a new coverage matrix shows where the gaps are, per group, at a glance.

• Evidence with a scope. Attach a document and say exactly which devices or people it covers. The platform proposes the shortest honest description automatically, like "Servers" or "everyone except contractors", so you confirm instead of type
• The remainder is one click. If evidence covers 13 of 17 devices, the other 4 are shown by name, with three ways to close the gap: attach more evidence, mark them out of scope, or accept a sample, your call, recorded with a justification
• The coverage matrix. A new tab per client crosses entities and groups against controls: covered, sample, missing or out of scope per cell. It is the "where do we stand, by location" view MSPs asked us for, and the auditor's export shows the same resolved scopes
• Bonus: our pricing now has a short address. easycyberprotection.com/pricing takes you straight to the full fee schedule, no form, no call

Scoped evidence was built because a managed service provider (MSP) partner needed to prove coverage per site, not per spreadsheet. If you are scoping a NIS2 engagement, our scoping guide walks through the same questions.

The Centre for Cybersecurity Belgium (CCB) had a loud week, and two of its warnings point at the exact systems that decide whether a ransomware incident is an annoyance or a catastrophe: the backup server and the firewall VPN.

• Veeam Backup & Replication: CVE-2026-44963 (severity 9.4). Any signed-in domain user can run code on a domain-joined backup server. CCB said "patch immediately" on 10 June; the fix is build 12.3.2.4854, and version 13 and workgroup-mode servers are not affected. No attacks seen yet, but the backup server is the first thing ransomware crews destroy, so patch before that changes
• Check Point VPN: CVE-2026-50751 (severity 9.3), actively exploited. Attackers can open a virtual private network (VPN) connection without valid credentials. CCB warned on 9 June, the United States added it to its exploited-vulnerabilities list on 8 June, and the affected range includes the Quantum Spark firewalls sold to smaller businesses. Note CCB's fine print: patching does not undo access an attacker already gained
• Microsoft Patch Tuesday, 9 June: 206 fixes, 33 critical. Three publicly known holes, including CVE-2026-50507, a BitLocker bypass with public attack code that CCB rates "highly likely" to be exploited. BitLocker is what keeps a stolen or lost laptop unreadable, so do not let this one linger in the update queue
• Also flagged: a maximum-severity Ivanti Sentry hole was being used to plant backdoors within two days of disclosure, and Fortinet FortiSandbox got a critical fix with public attack code circulating

One week, four "patch immediately" calls on systems most SMEs never look at. That is why patching belongs on a calendar, not in a panic. Our patch-management guide sets the rhythm, and our backup guide explains why that one server deserves special treatment.

The Dutch municipality of Epe published the post-mortem of its March cyberattack this week, and it reads like a checklist of small gaps that added up: 871 gigabytes and roughly 550,000 files walked out the door, including personal data from the population register and around a thousand copies of identity documents.

• The way in: a ClickFix lure, the fake "prove you are human" page that talks an employee into pasting a malicious command into their own computer. One paste on 10 March was enough for a foothold
• The way up: the attacker cracked an administrator password, then reached the break-glass emergency account, which had no multi-factor authentication (MFA) precisely because it was meant for emergencies
• The way out: hundreds of gigabytes left for cloud storage before the intrusion was spotted two days later
• The lessons travel well: MFA on every privileged account, including the emergency ones; train staff that no legitimate check ever asks you to paste a command; and watch what leaves your network, not just what enters it

A municipality of 32,000 residents is the size of many Belgian SMEs' customer base, and the same three gaps are common in small businesses. Start with the account side: our guide to two-factor authentication covers the accounts everyone forgets.

On 10 June the European Commission published the final Code of Practice on marking and labelling AI-generated content, the practical how-to for transparency duties under the EU AI Act that start applying on 2 August 2026.

• What it covers: AI-generated and AI-manipulated content must become recognisable. Providers mark it machine-readably; businesses that publish it must clearly label deepfakes and AI-written text on matters of public interest
• Why a code of practice matters: it is voluntary, but it is the European Commission's own playbook for complying with the binding rules, so following it is the low-risk path
• The quiet first step for SMEs: you cannot label what you do not know about. Take an inventory of where AI already writes for your business, the official tools and the ones employees quietly use, before August makes the question formal

Together with the Munich ruling above, the direction is unmistakable: AI output is becoming something businesses formally own and answer for. Why we think AI should assist compliance rather than impersonate it: our take on AI and compliance.