As companies start using the metaverse for collaboration, training and conferences, as well as building customer-facing virtual worlds for entertainment, banking, e-commerce and social events, they will face a host of new security challenges.
How will they verify the identity of the people inhabiting digital avatars in virtual worlds? How will they establish trust with the avatars they’re interacting with? How will they share documents and other valuable assets without exposing their data to competitors and criminals? And, as users navigate the various corners of the metaverse, what protections are in place to help them maintain their own privacy?
Companies must embed privacy, authentication and other cyber protections into their metaverse environments from the start. Simply put, security in the metaverse needs to be embedded.
Confronting new security issues in new worlds
The metaverse is likely to create new security issues in these main areas:
• Identity. Remember the cartoon caption, “On the internet, no one knows you’re a dog”? In the metaverse, where interactions take place among avatars, the identity verification challenge will be daunting. The environment feels very human, so to speak, which encourages trust. But that avatar claiming to be your boss? Thanks to AI voice simulation, video deepfakes and other innovations, maybe it isn’t.
For similar reasons, parental controls will be more challenging to implement and easier for kids to circumvent, which has particular implications for virtual world game developers.
• Privacy. Eavesdropping will be an increased threat on some metaverse platforms. If you’re conducting a confidential discussion with someone, will you know whether others, whose avatars are in proximity, are surreptitiously listening in? What about content that is attached to your avatar, perhaps sensitive data from a critical application? And how to ensure that virtual conference rooms will be secure, including shielding presentations (or other content that’s being shared) from prying eyes?
• Transactions. If you’re trying to close a deal in the metaverse, how can you verify its terms and conditions in the real world? Virtual banking, a possible application for the metaverse, will present similar challenges. Banks will want to make their services highly personal, to differentiate them from current online banking apps. But they’ll also need to make them highly secure and safe, with powerful authorisation controls.
• Expanding attack surface. The metaverse will create more opportunities for criminals to conduct social-engineering tricks, confidence scams, fraud and more. More sophisticated versions of today’s attacks may find a home, and be harder to detect, too. Instead of clicking on a link in a phishing email, for example, could employees be tricked into going through a dangerous door in the metaverse?
Also, the metaverse could enable new forms of cybercrime such as cyber extortion. Criminals can collect potentially damaging or embarrassing information about a person’s behavior in the metaverse, then threaten to make that public unless their victim pays an extortion fee.
Some metaverse platforms let users take advantage of 3D headsets for virtual worlds that provide full immersion into the environment or augmented immersion by blending the real and virtual worlds. These environments are compelling but also present opportunities for new attacks — such as real-time manipulation of what the user sees — that can impact user safety, equipment operations or product quality.
Secure the metaverse up front
Web browsers have had 20+ years to grow their security and privacy features. We’re only at the dawn of the age of the metaverse, so it’s understandable that there’s a lot more work to do to create highly secure environments. Also, the complexity of the metaverse can’t be ignored, and as we know, complexity is the enemy of security.
That said, enabling as many security controls as you can right now for metaverse environments is critical. Here are some steps businesses can take today:
- Have a well thought-out identity strategy.
Many of the same tools we can use today — multifactor authentication (MFA), passwordless access — can lift and shift to metaverse environments. In fact, bringing these to the metaverse simplifies employees’ access to all the ways they communicate and collaborate, enabling them to maintain the same identities across email systems, conferencing environments and the metaverse. Businesses that haven’t begun deploying these security features for their everyday environment should start now, so that they’re positioned to build even greater robustness into their identity strategy as the metaverse gains a greater foothold in the company.
For example, think ahead to the potential of developing some form of hand authentication — maybe the virtual equivalent of a fingerprint — with MFA to verify the identity of employees for access to documents or customers for conducting transactions.
- Strengthen your ability to detect and block malware.
Malware isn’t going away in the metaverse. In fact, there may be even more opportunities for employees to accidentally open the door to malware via new social engineering scams. So, updating endpoint, perimeter and network protection tools should be a priority, along with applying the principles of zero trust to the metaverse.
- Make testing a part of the process.
We know that in the press for business growth, companies tend to focus on quickly releasing new software rather than heavily securing it. That can leave vulnerabilities that, with more careful testing, would most likely have been detected and remediated. If you’re developing applications for the metaverse, don’t overlook traditional testing.
- Enhance your security training.
Security training will continue to be an important element of your security arsenal. Today, we train employees on how to detect phishing emails. In the metaverse, those same employees will need training on how to check the identity of avatar users, be on the lookout for virtual world scams and more. You can start out by focusing on the employees who will spend a great deal of time in the metaverse. But odds are that, sooner or later, more and more of them will spend at least some time there, so at some point you should make training mandatory for everyone.
- Know who you’re dealing with.
It’s no secret that some tech companies, such as those in social media, have always relied on harvesting data about their users to make money. That means data about your employees, your customers or both. So, before committing to a metaverse platform, make sure that you’re comfortable with the data policies of the vendors you’re considering. Hand in hand with that, make sure the vendor you choose is reputable, trustworthy and known for good cybersecurity practices. Steer clear of vendors with a record of lax security and costly breaches.
We’re likely to see some interesting evolutions in security tooling to accommodate the new security needs of the metaverse. For example, multiple signals can be pulled together and checked (your voice prints and typical movement patterns through metaverse environments, for instance), offering the potential to deliver stronger security in terms of zero-trust access.
Every new technology presents both risks and opportunities, and the metaverse is no different in this respect. Every company venturing into the metaverse must ensure that its employees, customers and partners remain safe and secure, and that data and other valuable assets are protected against theft and fraud.
At DXC, we’re not only talking about the metaverse but also transforming ourselves into a virtual-first organisation. We’re using the DXC Virtual World platform for events, collaboration, team-building and allocating private space. Read our perspective paper, Moving into the Metaverse, to find out more about how DXC Virtual World can help your company step into the virtual world.
About the Authors
Mark Hughes is president of security at DXC Technology.
Peter Scott is global director of security at DXC.