Meta has pulled off one hell of a marketing stunt by getting people to widely refer to internet-connected virtual reality as “the metaverse”, although the technology is open to everyone and countless companies are no doubt launching their own products and services. A new report from Tenable explores the underlying concerns of this emerging market, which some analysts predict is worth up to $800 billion by 2024, and highlights what are likely to be the metaverse’s biggest security threats.
The study includes feedback from more than 1,500 IT and cybersecurity professionals from around the world and finds that a large majority of organizations plan to do business in the metaverse within the next three years. And while 90% are already thinking about the cybersecurity framework that should precede these efforts, less than half say they have great confidence in the ability of existing cybersecurity measures to meet these new demands.
Top Metaverse Security Issues: Clone User Appearance, Eavesdropping, Phishing
68% of organizations say they are ready to dive into the metaverse in the near future, but far fewer are confident that all metaverse security elements are in place.
The general lack of confidence does not necessarily stem from a lack of ability to anticipate threats in this new developing space. Respondents anticipate a mix of new and old threats in the metaverse security landscape, but in some cases, the old threats are those that organizations are still struggling to contain on the standard Internet.
Meta has thrown the most money and marketing into the fray so far, but other big companies (such as Microsoft, Nvidia, and major gaming platforms) are also making big plans. This signals security risks in several different areas. One is interoperability, as users seek mobile virtual assets between these different worlds. Another is the programming and maintenance knowledge needed to create and maintain these new spaces, which existing IT staff probably don’t have on the whole.
Organizations sense the potential here, with 23% responding that they are already developing initiatives even as baseline specifications are still being firmed up. Among respondents who expressed a desire to do business in the metaverse, the top interest (44%) was customer engagement opportunities. Other popular areas are learning/training measures and workplace collaboration.
But when asked about their concerns about expanding into this new realm, respondents said metaverse security was the #1 item on the list. Overall, today’s security solutions have yet to take into account the prospect of metaverse integration. Nevertheless, 86% of respondents said they would feel comfortable sharing users’ personal information between different metaverse services.
Security vendors can wait to see what users settle on in the metaverse before adapting their products accordingly. Among the products available so far, online games are the only ones attracting a large number of users (especially the pre-existing Roblox and Fortnite) as well as simple 3D chat applications that allow users to appear as an avatar.
Metaverse security should prove an immediate major challenge for early adopters
What metaverse security issues are companies already anticipating? Most are looking for existing attacks to find a new home in the virtual world; Phishing, malware, and ransomware attacks are likely to target organizations (and security programs) that grapple with new and unfamiliar technology.
But almost as many are also concerned about various types of “identity cloning” or “identity hijacking” attacks, in which hackers duplicate or take control of familiar avatars. Organizations also have a similar concern about “man-in-the-room” or “voyeur” attacks by an invisible infiltrator of VR headsets or rooms, and the compromise of machine identities and API transactions. applications (APIs).
How do organizations plan to deal with metaverse security threats? The overwhelming majority, 87%, want the government to intervene early in the regulation. More than half say they plan to invest in specialized training. About half also plan to hire for specialized IT, security, and software development positions that directly address metaverse security.
When asked what they advise in terms of metaverse security measures that can be done today, organizations said software design needs to “shift left” to build security into code as early as the beginning. They also suggest focusing on identifying cloud vulnerabilities/misconfigurations and ensuring there is visibility into all internet-connected assets.
Although the issue of metaverse security was most often cited as a barrier to entry, organizations also expressed similar levels of concern about the lack of clear processes for data privacy and the availability of staff. qualified as necessary to ensure the safe operation of these virtual products. Many said they would wait to see how other companies fared before jumping in.