What do Komodo dragons, COVID-19 protein structures, and ancient papyrus scrolls from Pompeii have in common?
They’ve all been subjects of research at Diamond Light Source, the UK’s national synchrotron facility. Diamond plays a key role in global research, with over 14,000 researchers from around the world accessing its systems and data, around the clock. This constant access and the nature of its operations means Diamond faces unique security challenges.
Cheryn Tan, Senior Cybersecurity Officer at Diamond, shares how the facility is navigating these challenges while tailoring its security awareness initiatives to an audience composed largely of scientists and research support staff.
Challenge 1: Availability is the priority
Diamond’s beamlines — 10 billion times brighter than the sun — operate 24 hours a day, six days a week, with specific time slots allocated to different research projects.
Disruptions to the beamlines can cause significant delays for critical scientific work. “We have to make sure the facilities onsite are configured with resilience, and that we provide robust access and authentication methods for researchers working remotely,” Cheryn explains.
“Availability is what people at Diamond are most concerned about. If the beamlines are unavailable, researchers can’t complete their experiments — with a knock-on effect on their publication deadlines and even PhD completions.”
This need for constant availability informs how Cheryn and her colleagues design security awareness initiatives to maximise their effectiveness. “We try to target what people care about — in our case, that’s the availability of systems and data.”
“We help staff and understand that security measures are in place to protect their ability to keep working without interruptions.” This includes defending against phishing emails that could lock down systems and addressing weak passwords that might allow unauthorised access to crucial data.
Challenge 2: Remote access and global collaboration
Diamond Light Source is an international research infrastructure, with collaborators accessing its systems from all over the world. “Having people regularly logging in from different countries poses a challenge in securely managing remote access,” Cheryn says.
“In a more locally based organisation, an unrecognised login from a non-UK IP address might be suspicious. But for us, it’s usually legitimate.”
The cybersecurity team must filter out malicious login attempts without blocking legitimate users.
“We’re trying to find ways to improve and automate that process, but it still requires a bit of investigation. We need to ensure that security measures don’t block the researchers’ access to what they need, but instead enable them to continue working securely.”
Challenge 3: Balancing security with research needs
Like many research institutions, Diamond faces resistance to security measures. Researchers focused on their work often see security steps as frustrating obstacles.
“It’s difficult to avoid pushback,” Cheryn acknowledges. “Most people will be unhappy if you add more steps that feel like blockers.”
To mitigate this resistance, Diamond’s cybersecurity team involves staff from various departments in testing new measures before implementation.
“To minimise disruption, with security measures like multi-factor authentication we first test them with users from different departments and collect feedback before rolling out more broadly. We try to minimise exceptions, but if needed, we come up with secure alternative measures.”
Collaboration is key. “Maintaining open channels of communication and explaining the rationale behind security measures helps ease tensions.”
Diamond is also focusing on fostering secure development practices among its software engineers: “We want to build security into the software development process instead of it being an afterthought.” By engaging engineers and including security in the earliest stages of development, the team hopes to create more resilient systems overall.
Challenge 4: Tailoring security awareness for a diverse audience
Diamond’s workforce is as varied as its research projects, and the cybersecurity team must account for this when designing security awareness programmes.
“We implement mandatory staff training on security basics — password security, data protection, phishing emails, and social engineering — but we also supplement this with webinars, posters, and talks throughout the year,” says Cheryn.
“We have a very diverse range of backgrounds at Diamond, from beamline technicians to software engineers to HR and finance staff. And all of them have different levels of technical knowledge and ability.”
This means that a one-size-fits-all approach to security awareness doesn’t work. Diamond uses interactive training programmes and personalised communications to engage staff and researchers with different skill levels. One particularly successful initiative was a “choose-your-own-adventure” training exercise with multiple-choice options.
“We put participants in scenario like: You’ve accidentally clicked on a phishing email — what do you do next? And then it spirals into seeing suspicious activity and systems going down. It helped bring home how quickly cyber attacks can escalate and have significant operational impacts.”
Cheryn and her colleagues plan to expand their awareness efforts by creating tailored messages targeting high-risk groups, such as researchers handling sensitive data. “We want to keep security front and centre without causing panic or security fatigue,” Cheryn adds.
Challenge 5: Ransomware threats
After seeing ransomware attacks cripple other research facilities in the last couple of years, Diamond pivoted its focus to mitigating this risk.
“We identified ransomware as the biggest cybersecurity challenge facing Diamond Light Source. It’s now clear it’s not just something that affects large for-profit businesses — academic and research institutions are also being targeted.”
Taking a proactive approach, last year Diamond’s cybersecurity team ran a series of crisis simulations and tabletop exercises to prepare staff for ransomware attacks. These helped people understand the consequences of ransomware and how to respond effectively.
“The crisis simulation workshops — which we’re currently expanding to include our partners — helped to bring home the message that ransomware is something we need to be ready for.”
Cheryn highlights an unusual challenge at Diamond: distinguishing legitimate large data transfers from potential ransomware threats, as research projects often involve substantial data exfiltration. Since exfiltrations can precede encryption and ransom demands, Diamond’s staff are trained to identify legitimate transfers. They have also engaged 24/7 threat monitoring of key infrastructure by a managed service provider to strengthen their defences.
Challenge 6: Measuring the effectiveness of security awareness
“Measuring the effectiveness of security awareness programmes is always tricky, and we’re still refining our approach,” Cheryn says. Diamond uses feedback surveys and tracks phishing-reporting rates, but they know these metrics don’t give the full story.
“It’s tempting to rely on easy measures like how many incidents we’ve had, but that’s not always the full picture. People are smart. They’re not just learning about security from us — they’re reading the news, talking to colleagues, and hearing about incidents at other institutions.”
An important element of Diamond’s security culture is creating a learning culture rather than a blame-oriented one.
“We don’t want to blame people if they fall for phishing attacks, but rather help them improve. Attackers are getting more sophisticated, and people make mistakes because they are tired or distracted. We want to make sure they feel supported.”
Summing up: Security as an enabler of research
Diamond Light Source’s cybersecurity efforts illustrate the balance between maintaining security and enabling world-class research. While staff may sometimes feel that security adds obstacles to their work, Diamond’s approach is to show how these measures enhance, rather than impede, research progress.
As Cheryn emphasises, “We sympathise with how sometimes an additional step feels like a hurdle, but we always try to position security as an enabler of research, not a blocker.”
By delivering tailored security awareness initiatives, engaging exercises, and open communication alongside robust systems, Diamond’s cybersecurity team ensures that scientists can continue their vital work while staying secure.
About Cheryn Tan
Cheryn Tan is a Senior Cyber Security Officer at Diamond Light Source, who has previously worked in companies including Vodafone and Red Hat. She is an ISACA Certified Information Security Manager (CISM) and Certified in Risk and Information Systems Control (CRISC). Outside of work, Cheryn enjoys travelling, cooking, yoga (floor and aerial), and spending time with her dog.
Also this year GÉANT joins the European Cyber Security Month, with the campaign ‘Your brain is the first line of defence‘. Read articles from cyber security experts within our community, watch the videos, and download campaign resources on connect.geant.org/csm24
Read or download the full magazine here