4 questions every CISO should be asking about the metaverse

The metaverse is coming — and it’ll be here sooner than you might think. Gartner forecasts that by 2026, a quarter of people will spend at least an hour a day in the metaverse.

This is great news for businesses, as it will unlock new business models and ways of working that will add value in ways we can only guess at now. As Accenture puts it, the metaverse “will transform how businesses interact with customers, how work is done, what products and services companies offer, how they make and distribute them and how they operate their organizations.”

However, from an enterprise security perspective, the metaverse presents a host of challenges. Most businesses today struggle with securing the data and infrastructure they already have. In the multidimensional world of the metaverse, this will become exponentially more difficult.

The metaverse is still a moving target. Today, we are more or less at a similar stage in its development lifecycle as we were in the early 1990s for the internet. But unlike in the ’90s, today we have a much better idea of the sort of threats that can emerge in powerful digital ecosystems, which means we can be much better prepared for what comes next.

The key is to start now, with an industrywide effort to discuss the challenges of the metaverse and mitigate them before they become a problem.

What risks will the metaverse bring? The metaverse will see similar challenges to the current security issues facing digital organizations, just adapted to the different forms of engagement, interaction and access that come with immersive, virtual environments.

With that in mind, I believe there are four key questions that all CISOs and technology teams should be asking about the metaverse today:

Can we protect PII (and other sensitive data) in the metaverse?

Securing personally identifiable information (PII) is already a pressing requirement for businesses, particularly in light of regulations such as the California Consumer Privacy Act (CCPA) in the U.S., the General Data Protection Regulation (GDPR) in Europe and China’s Personal Information Protection Law (PRPL).

The metaverse doesn’t change enterprises’ obligations to secure PII as set out in such laws. What it does do, however, is exponentially scale the amount of PII and other sensitive data that organizations will collect, store and manage to deliver metaverse experiences.

Much of this data will come from technologies that enable the blurring of the digital and physical worlds that defines the metaverse, such as biometric devices, smart speakers and microphones and virtual reality headsets. Data governance, endpoint security, network security and much else will be significantly more important as PII proliferates.

Such capabilities must be delivered in a way that doesn’t slow down the performance of the underlying network. After all, a laggy, jittery metaverse would quickly lose users.

How can I authenticate users?

Another challenge facing current enterprise technologies is how to verify people’s identities when they access sensitive digital services, such as banking applications or corporate networks.

Today, this is often achieved through multifactor authentication, but this approach simply will not work in the metaverse. We are entering a world of avatars that will populate 3D environments in real time. It is impractical to expect a person to drop out of their virtual session and take off their headset to complete an authentication transaction in the real world.

Businesses and public-sector organizations will therefore need foolproof ways to ensure that a person’s avatar is being controlled by that person and that the avatar has not been counterfeited or “deep faked.” How will users be able to tell if this is really the party they expect to be interacting with? They look like that party and behave like that party. How will we be able to trust the flow of these identities between various metaverse platforms?

There are a number of ways that this could be done. For example, there is a range of emerging approaches that use biometrics to build up a baseline of user behaviors and mannerisms that are as unique to individuals as fingerprints, which can be used to automatically alert security teams should a user’s avatar behave abnormally.

Other potential approaches could involve using iris pattern recognition to link a unique avatar to an individual VR headset or embedding unique encrypted identifiers in avatars to protect against counterfeiting. As this technology continues to evolve, other mechanisms and approaches will be identified.

Can we protect users from bullying, harassment and exploitation?

Social media platforms are awash with aggression, bullying, harassment and exploitation. There’s no reason to think that these blights will not affect the metaverse.

However, as an immersive 3D experience, the psychological effects of such behavior will likely be all the more harrowing for victims. Avatars are extensions of the user and intricately linked to that person’s identity. For many people, an experience in the metaverse will feel every bit as real as one in their daily lives. This will be even more so when innovations like haptic gloves and tactile feedback mechanisms bring the sensation of touch to the metaverse.

Significant challenges are emerging even at this nascent stage of the metaverse. For example, following complaints from female users of its Horizon Worlds platform, claiming that their avatars had been groped, Meta Platforms introduced a “personal boundary,” which places a four-foot shield around its avatars.

All companies need to consider where the boundaries lie between the physical and virtual worlds, the duty of care they owe users and how best to balance the safety of users with the usability of the metaverse. But what if there are vulnerabilities in the code and the boundaries can be compromised? What liability will the company face should this safety mechanism fail?

Ultimately, solving this problem will require clear legislation around what is not permissible in digital realms, along with the capability to police new laws. But how is this to be governed and policed? Who will be the central authority when these environments cross jurisdictional boundaries, let alone between metaverse platforms?

Businesses can help with their own moderating teams, much like they do now for abusive content on social media platforms. Additionally, as this opinion from the World Economic Forum sets out, a solution will also lie in “finding ways to incentivize better behaviors and perhaps reward positive interactions.”

Can we manage this kind of fast-growing attack surface?

Most organizations today share the view that the proliferation of devices, the growth of data and the expanding attack surface are major challenges. The metaverse is only going to add to this.

As mentioned, the metaverse will come with a wide range of associated hardware that will be attached to enterprise networks, each vulnerable in its own way and all of it will need security oversight and management. Organizations (and their security teams) will also need to think about protecting the human brain, which in the metaverse also becomes part of the attack surface.

It’s a truism in security that people are often the weakest link in an organization, and indeed, social engineering accounts for a majority of successful hacks. In immersive, virtual worlds, it will be easier for malign agents to psychologically manipulate users and spread misinformation. Already, for example, Sensorium Corp’s Metaverse has been used to spread misinformation about vaccines.

Training people about security threats and how to avoid falling into traps is just as important as putting robust cyber protections in place. In the metaverse future, it’s likely that such training will need to include psychological resilience techniques and programs for spotting manipulative or coercive behavior. At all times, people should feel supported and be able to report anything that doesn’t feel right.

Securing the metaverse starts now

The questions above are just some of the challenges that will come with the metaverse, and it’s good to see people already talking about it and helping think this through. Challenges abound, such as preventing the misuse of virtual worlds by terrorists (the metaverse would make for highly effective training grounds for potential attacks) and combating fraud schemes that target virtual assets (NFT fraud is already a thing).

But business leaders should not take any of these challenges as reasons not to explore the metaverse. Make no mistake, the metaverse is likely going to have as big an impact on the world as the internet did. Companies that do not get involved will likely struggle to compete.

There’s an urgent need for the security industry to get together now and make a collaborative effort to discuss solutions to the many challenges that lie ahead. I believe that we, cybersecurity and digital risk professionals, are the best equipped at this point to lead our organizations through these challenges.

We know that it will be a difficult and complex environment, but we have great experience that we can leverage and apply, and we have some time to prepare. The more we do now, the more questions we ask, the better the chances that the metaverse will deliver maximum benefit with minimum risk.