Peter Scott, a seasoned IT professional with 25 years of experience, is responsible for ensuring security for DXC and its customers. Prior to joining DXC, Peter held various key roles at BT Plc for 15 years, including senior director of IT infrastructure and director of end user technology and security, where he led global teams focused on delivering operational excellence, improving user experience, and driving change. He also founded an IT consultancy and software development company in the UK earlier in his career and began his career in the UK Ministry of Defence. Peter holds a Bachelor of Engineering degree in Computer Engineering from City University of London.
As companies start using the metaverse for collaboration, training, and conferences, as well as building customer-facing virtual worlds for entertainment, banking, e-commerce, and social events, they will face a host of new security challenges.
How will they verify the identity of the people inhabiting digital avatars in virtual worlds? How will they establish trust with the avatars they’re interacting with? How will they share documents and other valuable assets without exposing their data to competitors and criminals? As users navigate the various corners of the metaverse, what protections are in place to help them maintain their own privacy?
The metaverse is likely to create new security issues in four key areas, and it’s vital companies embed privacy, authentication, and other cyber protections into their metaverse environments from conception.
Confronting New Security Issues in New Worlds
1. Identity
Remember the cartoon caption, “On the internet, no one knows you’re a dog”? In the metaverse, where interactions take place among avatars, the identity verification challenge will be daunting. The environment feels very human, which encourages trust. But that avatar claiming to be your boss? Thanks to AI voice simulation, video deepfakes and other innovations, maybe it isn’t. For similar reasons, parental controls will be more challenging to implement and easier for kids to circumvent, which has implications for virtual world game developers.
2. Privacy
Eavesdropping will be an increased threat on some metaverse platforms. If you’re conducting a confidential discussion with someone, will you know whether others are surreptitiously listening? What about content that is attached to your avatar, perhaps sensitive data from a critical application? And how to ensure that virtual conference rooms will be secure, including shielding presentations (or other content that’s being shared) from prying eyes?
3. Transactions
If you’re trying to close a deal in the metaverse, how can you verify its terms and conditions in the real world? Virtual banking, a possible application for the metaverse, will present similar challenges. Banks will want to make their services highly personal, to differentiate them from current online banking apps. But they’ll also need to make them highly secure and safe, with powerful authorization controls.
4. Expanding attack surface
The metaverse will create more opportunities for criminals to conduct social-engineering tricks, confidence scams, fraud and more. More sophisticated versions of today’s attacks may find a home and be harder to detect, too. Instead of clicking on a link in a phishing email, for example, could employees be tricked into going through a dangerous door in the metaverse?
Also, the metaverse could enable new forms of cybercrime such as cyber extortion. Criminals can collect potentially damaging or embarrassing information about a person’s behavior in the metaverse and threaten to make it public unless their victim pays an extortion fee.
Some metaverse platforms let users take advantage of 3D headsets for virtual worlds that provide full immersion into the environment or augmented immersion by blending the real and virtual worlds. These environments are compelling but also present opportunities for new attacks — such as real-time manipulation of what the user sees — that can impact user safety, equipment operations or product quality.
5 Steps to Secure the Metaverse
Web browsers have had 20+ years to grow their security and privacy features. We’re only at the dawn of the age of the metaverse, so it’s understandable that there’s a lot more work to do to create highly secure environments. Also, the complexity of the metaverse can’t be ignored, and as we know, complexity is the enemy of security.
That said, enabling as many security controls as you can right now for metaverse environments is critical. Here are some steps businesses can take today:
1. Have a well-thought-out identity strategy.
Many of the same tools we can use today — multifactor authentication (MFA), password less access — can lift and shift to metaverse environments. In fact, bringing these to the metaverse simplifies employees’ access to all the ways they communicate and collaborate, enabling them to maintain the same identities across email systems, conferencing environments and the metaverse. Businesses that haven’t begun deploying these security features for their everyday environment should start now, so that they’re positioned to build even greater robustness into their identity strategy as the metaverse gains a greater foothold in the company.
For example, think ahead to the potential of developing some form of hand authentication — maybe the virtual equivalent of a fingerprint — with MFA to verify the identity of employees for access to documents or customers for conducting transactions.
2. Strengthen your ability to detect and block malware.
Malware isn’t going away in the metaverse. In fact, there may be even more opportunities for employees to accidentally open the door to malware via new social engineering scams. So, updating endpoint, perimeter and network protection tools should be a priority, along with applying the principles of zero trust to the metaverse.
3. Make testing a part of the process.
We know that in the press for business growth, companies tend to focus on quickly releasing new software rather than heavily securing it. That can leave vulnerabilities that, with more careful testing, would most likely have been detected and remediated. If you’re developing applications for the metaverse, don’t overlook traditional testing.
4. Enhance your security training.
Security training will continue to be an important element of your security arsenal. Today, we train employees on how to detect phishing emails. In the metaverse, those same employees will need training on how to check the identity of avatar users, be on the lookout for virtual world scams and more. You can start out by focusing on the employees who will spend a great deal of time in the metaverse. But odds are that, sooner or later, more and more of them will spend at least some time there, so at some point you should make training mandatory for everyone.
5. Know who you’re dealing with
It’s no secret that some tech companies, such as those in social media, have always relied on harvesting data about their users to make money. That means data about your employees, your customers or both. So, before committing to a metaverse platform, make sure that you’re comfortable with the data policies of the vendors you’re considering. Hand in hand with that, make sure the vendor you choose is reputable, trustworthy, and known for good cybersecurity practices. Steers clear of vendors with a record of lax security and costly breaches.
We’re likely to see some interesting evolutions in security tooling to accommodate the new security needs of the metaverse. For example, multiple signals can be pulled together and checked (your voice prints and typical movement patterns through metaverse environments, for instance), offering the potential to deliver stronger security in terms of zero-trust access.
Every new technology presents both risks and opportunities, and the metaverse is no different. Every company venturing into the metaverse must ensure that its employees, customers, and partners remain safe and secure, and that data and other valuable assets are protected against theft and fraud.