The Metaverse will transform business operations from virtual meetings to immersive 3D customer experiences or property tours. According to Gartner’s prediction, by 2026, a quarter of us will spend at least daily 1 hour in the Metaverse for official work, shopping, education, social media, and/or entertainment. Although few organizations like Nike and Coca-Cola are already there, they are using it for branding and purchasing physical products.
With so much talk around the Metaverse, it’s easy to see why more organizations will start doing business there. But are they feeling about the risks? Of course, we will need a different strategy for security in a virtual world compared to the physical one, but what will that entail? Let’s take a look at what the risks are and how to start getting prepared (because you do need to start now).
The major hurdle to the Metaverse being a secure environment is in its foundations. The Metaverse is built on blockchain technology, and we have already seen severe security gaps in NFT marketplaces and blockchain platforms such as OpenSea, Rarible, and Everscale. Due to the sheer amount of malicious activity that we already see exploiting services based on the blockchain, we believe it won’t be long before we start to see initial attacks in the Metaverse, as reported in our recent Check Point Mid-Year Security Report. It will likely be based on authorization, and user accounts will get hijacked, so we expect identity and authentication to sit at the heart of everything we want to do.
According to a report by DappRadar, a company that tracks user behavior across blockchain projects, the data shows that over half a million Indian users have shown their interest in non-fungible tokens, or NFTs, and metaverse projects, with India, ranked fifth, only behind the US, Indonesia, Japan, and the Philippines, in terms of interest in metaverse projects.
It is tricky, though, as people might want multiple identities within the Metaverse, perhaps one for transacting work conversations and another for personal shopping and entertainment. This adds another layer of complexity because no single identity says it’s definitely you. The answer could be in chained essence so, will blockchain then help us understand where we’re transacting and who with? This is a significant challenge. And since blockchain technologies are decentralized and unregulated, things like policing the theft of virtual assets or preventing money laundering are difficult.
Another key security challenge is in the safe spaces needed to conduct business. Imagine you’re on a Zoom or Teams call. It’s a private meeting space, right? But what will that be like in the Metaverse? How do we know that a chair someone sits on isn’t an avatar, and we have an impostor in our midst? You may think that can’t possibly happen, but it’s a virtual world. Of course, it can. We need to discern between what’s real and what’s fake, and having a safe space to meet and transact will be crucial.
When the Internet emerged, threat actors exploited the average human’s unfamiliarity with the tech by creating malicious sites that impersonated banks to obtain financial details. Phishing scams still occur, albeit we now see more sophisticated forms of social engineering. The Metaverse is like a new Internet; you can guarantee that people’s unfamiliarity with it, both businesses and consumers, will be exploited.
Interestingly, every transaction on the blockchain is fully traceable, so this will become far more important, especially when it comes to having an audit trail of what has been discussed and any decisions made in a business context. But that leaves a question over how that information is taken from the virtual world to the physical. Are contracts going to be legally binding in the Metaverse? Or will they need to be brought into the physical world to be signed and then pushed back in? How will that be done securely?
Researchers have discovered security gaps within blockchain and crypto projects which are part of the Metaverse. The vulnerabilities that have been exploited by cybercrime are focused on vulnerabilities with smart contracts that allow hackers to exploit and drain crypto platforms and around application vulnerabilities inside blockchain platforms that allow hackers to attack through the platforms and hijack users’ wallet balances. There is a danger that we rush headlong into the Metaverse without considering these types of implications.
Many concerns around security in the Metaverse are exacerbated by the huge skills shortage in the cybersecurity sector. According to the 2021 (ISC)² Cybersecurity Workforce Study, we lack almost 3 million cybersecurity professionals, and the current global cyber workforce needs to grow by 65% to defend organizations’ critical assets effectively. That percentage is likely to be much higher if we consider the new virtual world.
Is it worth it?
Other cybersecurity risks within the Metaverse abound, such as cyberattacks via vulnerable AR/VR devices as an entryway for evolving malware and data breaches. These devices inherently collect large amounts of user data and information, such as biometrics, making it attractive to hackers. Concerns around data privacy are also a growing voice amongst Metaverse sceptics, with additional data being collected through avenues like Second Life, potentially violating user privacy.
You might be reading this thinking, why bother if there are so many risks involved? But it is worth putting the time in to get ready to move across to the Metaverse. Unfortunately, any company (no matter the size) that doesn’t may find itself in a place where it’s playing catch up and potentially losing out on business or engaging in processes that put the business at risk. You can transition slowly, just like many have done with cloud migration.
Organizations will need to rely much more on their partners worldwide to help mitigate risk, as this is a global phenomenon. But there will always be some risk; for those who take them and get it right, there will be huge rewards. At the end of the day, though, businesses won’t be able to do it themselves, it will take a great deal of partnering with organizations that work within that space. The Metaverse will hit everyone, and there’s no denying that mistakes will be made, similar to those made in the early days of the Internet.
Top Metaverse security considerations right now
- It’s coming. You can’t put your head in the sand and pretend that it isn’t. Business leaders and security professionals need to talk about it and understand what it might mean for them. Understand the landscape by looking at what competitors are doing in that space.
- Look at how you currently run services in the physical world and understand if these services map to the Metaverse. You may find that some of them don’t and aren’t secure in this world, such as mobile devices, tablets, cloud, and multi-cloud.
- Understand how to get your identification and authentication done correctly. The answer isn’t just having a password or two-factor authentication. Companies need to start upping their game around these two issues. People tend to do things without considering security, but they should consider safety first.