Meta pulled off quite a marketing coup in getting people to broadly refer to internet-connected virtual reality as “the metaverse,” though the technology will be open to everyone and countless companies will undoubtedly debut their own products and services. A new report from Tenable explores the concerns implicit in that emerging market, which is expected by some analysts to be worth as much as $800 billion by 2024, and highlights what are likely to be the biggest metaverse security threats.
The study includes the feedback of over 1,500 IT and cybersecurity professionals from around the world, and finds that a large majority of organizations plan to do business in the metaverse within the next three years. And while 90% are already thinking about the cybersecurity framework that needs to precede these efforts, fewer than half say that they have strong confidence in the ability of existing cybersecurity measures to meet these new requirements.
Top metaverse security concerns: Cloning of user appearance, eavesdropping, phishing
68% of organizations say they are ready to plunge into the metaverse in the near future, but far fewer are confident about having all the pieces of metaverse security in place.
The general lack of confidence does not necessarily stem from a lack of ability to anticipate threats in this newly developing space. Respondents foresee a mix of new and old threats in the metaverse security landscape, but in some cases the old threats are those that organizations are still struggling to contain on the standard internet.
Meta has thrown the most money and marketing into the fray so far, but other big companies (such as Microsoft, Nvidia and major gaming platforms) are also making big plans. This signals security risks from a couple of different areas. One is interoperability, as users look for virtual assets to be movable between these different worlds. Another is the programming and maintenance knowledge needed to create and maintain these new spaces, which existing IT staff by and large probably do not have.
Organizations smell potential here, with 23% responding that they are already developing initiatives even as basic specifications are still firming up. Of the respondents that expressed a desire to do business in the metaverse, the leading interest (44%) was customer engagement opportunities. Other popular areas are learning/training measures and workplace collaboration.
But when asked about their concerns about expanding into this new area, respondents said that metaverse security was item #1 on the list. By and large, today’s security solutions have not yet considered the prospect of metaverse integration. Nevertheless, 86% of the respondents said that they would feel comfortable sharing user personal information between different metaverse services.
Security providers may be waiting to see what users settle on in the metaverse before tailoring their products accordingly. Of the products available thus far, online games are the only ones drawing mass amounts of users (particularly the pre-existing Roblox and Fortnite) along with simple 3D world chat apps that allow users to appear as an avatar.
Metaverse security likely to prove an immediate, major challenge for early adopters
What metaverse security issues are organizations already anticipating? The largest number are looking for existing attacks to find a new home in the virtual world; phishing, malware, and ransomware attacks are likely to target organizations (and security programs) that are grappling with a new and unfamiliar technology.
But nearly as many are also just as worried about various types of “identity cloning” or “hijacking” attacks, in which hackers duplicate or take over familiar avatars. Organizations also have a similar concern about “man in the room” or “peeping Tom” attacks by an invisible infiltrator of VR headsets or rooms, and compromise of machine identities and application programming interface (API) transactions.
How do organizations plan to deal with metaverse security threats? The overwhelming majority, 87%, want government to step in early with regulation. More than half say that they plan to invest in specialized training. About half are also looking at hiring for specialized IT, security and software development roles that direct address metaverse security.
When asked about what they advise in terms of metaverse security moves that can be made today, organizations said that software design needs to “shift left” to embed security in code from the beginning. They also suggest a strong focus on identifying cloud vulnerabilities/misconfigurations and ensuring that there is visibility into all internet-facing assets.
While the issue of metaverse security was most commonly cited as a barrier of entry, organizations also expressed similar levels of worry about the lack of clear processes for data privacy and the availability of necessary skilled personnel to keep these virtual products functioning safely. Many said that they would wait to see how other companies fare before they jump in.