Most organizations across Australia, the UK, and the US have either already invested in the metaverse or plan to do so soon. Yet, fewer than half are confident existing security infrastructure is capable of tackling associated cyberthreats.
Despite doubts surrounding the future of the metaverse, it remains an industry predicted to become a $5 trillion market by 2030. One in four organizations has already started working in the metaverse, with most of the rest planning to do so within the next three years, new research by Tenable shows.
This is despite fewer than half of survey respondents saying they believed the metaverse was ready to tackle cybersecurity challenges. Most were not confident existing cybersecurity measures were sufficient to curb cyberthreats in the virtual world.
“Organizations recognize there is immense opportunity in the metaverse, but they are also keenly aware of the cybersecurity risk they face. As with any new business opportunity, first movers have the advantage, and the risk,” Bob Huber, Chief Security Officer at Tenable, told Cybernews in an email.
Whether it’s first-movers advantage or fear of missing out, most organizations are willing to forgo the risks, with only four in 10 respondents saying their organization takes security as a top consideration when deciding on metaverse investment plans.
A whopping 87% of respondents said they would be comfortable sharing personal user information between different metaverse services – presenting a “huge risk” if the security framework to protect them is not in place prior to launch, according to Tenable.
“I feel like the respondents are speaking from an ideal state, that being that we can establish a safe way to share this information and align to all necessary regulations and requirements across the globe. Again, that’s ideal, it’s not reality at this point,” Huber said.
Companies see customer engagement, improved learning and training, and better workplace collaboration as the most intriguing business opportunities in the metaverse.
These opportunities are not without risks, Tenable warns. A number of old and emerging cybersecurity threats need to be addressed before businesses can venture into the metaverse safely.
“Traditional threats remain successful. Legacy vulnerabilities in software used by companies around the world continue to be exploited by a variety of cybercriminals and that doesn’t change in the metaverse,” Satnam Narang, senior staff research engineer at Tenable, said.
Older threats such as phishing, malware, and ransomware attacks are expected to have the greatest impact on organizations developing and hosting their virtual worlds. Most businesses are aware of these conventional threats, with 81% agreeing they are likely or somewhat likely to occur in the metaverse. Most also expect the threat landscape to shift once the technology is more widely adopted.
“The threats that will emerge once the metaverse achieves widespread adoption will shift from purely on the operators of the metaverse to also include metaverse users,” Sarang said.
One of the top emerging threats includes the cloning of voice and facial features and hijacking video recordings using avatars. While using synthetic voices and facial features – or “a digital mask” – could make the metaverse experience more personal, cybersecurity professionals are concerned there is no way of identifying who is really behind the avatar, Tenable says.
It warns that personal information and content stored in a virtual environment can also be forged and leaked, with 79% of research respondents agreeing it will be a likely or somewhat likely problem.
“Peeping Tom” attacks are also widely expected to proliferate in the metaverse as long as virtual reality headsets remain the key technology to access it. Vulnerabilities in some of the existing technology could see attackers invisibly eavesdrop in virtual reality rooms, exploit the flaws to gain complete control over users’ computers, and secretly deliver malware or start a worm infection.
78% of respondents said this would become a common problem in the metaverse. The same number, almost four in five respondents, also said compromised machine identities would be a likely threat. Billions of machine-to-machine communications already occur daily without any human interaction – whether across the internet of things, edge computing devices, or traditional IT systems.
“Once the metaverse becomes more widely adopted, the newer threats will start to emerge as a problem, so it’s critical that the organizations developing metaverses today do their due diligence to protect their infrastructure from attacks now,” Narang said.
The prospect of security breaches and identity theft, the lack of clear processes for data privacy, and the shortage of experienced security professionals are the top three barriers companies consider before entering the metaverse, according to Tenable research.
Even though the “security will lag” in the new market, businesses will continue to invest in what they see as “an ideal avenue to growth or improved experiences,” Huber said. It means that they will need to learn how to manage – mitigate, accept or transfer – the risk, he added.
“Time and time again, it’s proven that organizations will adopt new technology even if the risk outweighs the reward. The risk-to-reward ratio has so many variables, but ultimately depends on an organization's appetite for risk,” Huber said.
At 87%, the vast majority of survey respondents believe that organizations should not be left alone to determine the security of metaverse operations. They also said the metaverse should be regulated.
“This finding is interesting considering that most transactional actions are already regulated – sales, eCommerce, privacy – and those regulations will still apply in the metaverse,” Huber said.
All the same, the industry expects the government’s involvement in determining what metaverse-specific regulation framework works best.
Progressive organizations, however, should take matters into their own hands. Tenable says they should start re-evaluating existing infrastructure to be better prepared to navigate and build their metaverse worlds.
Nine in 10 respondents believe building cybersecurity into software code – in what is termed “shift left” – will be key in securing the metaverse.
Conducting a comprehensive asset inventory to identify misconfigurations and vulnerabilities, whether on-premises or in the cloud, is also seen as an important step, as is awareness of their virtual footprint.
To succeed in the metaverse, organizations will also have to upskill or hire new talent to deal with the expanded attack surface “rife with both old and new cyberthreats,” the research says.
The study was conducted by Opinion Matters on behalf of Tenable across Australia, the UK, and the US. It surveyed 1,500 cybersecurity, DevOps, and IT engineering professionals.
More from Cybernews:
Subscribe to our newsletter