Cybersecurity: Be aware, stay safe

December 14, 2021
We spoke to Sav Chawla, Vice President of OCWA’s I & IT Division, about the importance of cybersecurity and how to manage threats.

Cybersecurity – the protection of internet-connected computer systems and networks from outside attacks – is one of the most serious economic and security challenges Canada and Canadians are facing, according to the Canadian Centre for Cyber Security.

That may not be news. But maybe this is: Since the onset of the COVID-19 pandemic, organizations in Canada and around the world have seen a rise in cybersecurity incidents affecting corporate devices (according to reports from IBM SecurityPanda Security and others).

“One of the reasons is because more people are working remotely,” says Sav Chawla, OCWA’s Vice President of I & IT. “Even with excellent cybersecurity for work-at-home in place, organizations can face increased risk because people tend to behave differently at home than in the office.”

Risky behaviours

Risky behaviours include visiting unsafe websites while on a work device, allowing others in the household to use a work device, and using work devices for personal reasons. These behaviours put an organization’s network and data at risk. 

One of the most common methods cyber attackers use against individuals is phishing. This is where an attacker poses as a legitimate source in an email. The goal is to trick the recipient into sharing confidential data such as credit card and login information or to install malware on the victim’s machine by encouraging them to click on a link.

Sometimes there will be obvious indications that the email is fraudulent. For example, the sender’s email address will contain a series of jumbled letters and numbers and the message will contain typos, grammar mistakes and strange capitalization. However, Chawla notes, cyber attackers are becoming increasingly sophisticated and we should all be extra vigilant.

Email addresses forged

“More and more, organizations are experiencing a specific type of phishing called spoofing. Your employees receive an email from a trusted source – such as a work colleague or supplier – asking for sensitive information. But in fact a cyber attacker has forged the sender’s address.”

What can organizations do to protect themselves? “Awareness is key,” says Chawla. “You can have the best cybersecurity measures in place, but your employees are your best line of defence against cyber attacks. Help them to develop good cybersecurity hygiene through regular and up-to-date communications and training.”

Simulation exercises

Organizations may want to consider phishing simulation exercises as part of their cybersecurity toolkit, says Chawla. During these simulations, an IT department sends out fake phishing emails and tracks how people react. Some staff will identify the email as suspicious and report it – whereas others will click the link in the email. The clickers will get a pop up alerting them to the simulation. “These exercises can be very effective in raising cybersecurity awareness. They provide a real wake-up call for some staff.”

While phishing and other cybersecurity attacks against individuals are on the rise, so are those targeting businesses and organizations as entities, including utilities. Chawla cites the case earlier this year where a computer hacker gained remote access to a water treatment facility in Oldsmar, Florida, and tried to compromise the water supply. A quick thinking operator was able to interrupt the real-time attack, avoiding a potential public health emergency.

Data held ransom

Increasingly, hackers are using a form of malware attack called ransomware against victims. The ransomware prevents users from accessing their systems or data and demands the organization pay to regain access. A number of Canadian municipalities have experienced ransomware attacks over the past several years.

In the face of these increased threats, Canadian utilities are being prompted to assess their cyber systems for vulnerabilities and take action to protect their operations. For example, Halifax Water, which provides drinking water, storm and wastewater services to more than 300,000 people, is looking to beef up its cybersecurity.

As a trusted water/wastewater operator, OCWA considers the protection of client data and operational systems to be a top priority, says Chawla. The Agency employs robust cybersecurity measures, such as real-time detection, intrusion protection, regular employee training on cybersecurity threats, and advanced anti-malware software (read more in this past Waterline article).

Educate staff

Chawla adds that it’s “vital for municipalities themselves to also have protocols in place to protect their water and wastewater systems. For example, ensuring that any third party contractors they hire are accessing the systems in a safe way.”

She also recommends that municipalities and all organizations educate staff (especially those working from home) on cybersecurity hygiene and provide a clear and easy way to report suspicious activity. 

If you are an OCWA client and have questions about how we keep your data and systems safe, please reach out to your local representative or email

Additional Resources

Cyber. Right. Now. – Canadian Chamber of Commerce campaign
Get Cyber Safe – National public awareness campaign