The metaverse may bring new cyber risks. Here’s what companies can do

Cyber Security and Digital Data Protection Concept. Icon graphic interface showing secure firewall technology for online data access defense against hacker, virus and insecure information for privacy.

Imagine discussing a confidential multimillion-dollar deal with your boss. The conversation ends, and you both leave.

A while later, you both meet again and you bring up your earlier conversation — but your boss has absolutely no recollection of the deal.

What just happened?

In the metaverse, this might mean you were the victim of a hacked avatar or deepfake, said Prabhu Ram, head of the industry intelligence group at CyberMedia Research, a research and consulting firm. Deepfakes refer to manipulated digital figures that look or sound like someone else.

The metaverse has drawn hype in recent months, with companies like Meta, formerly known as Facebook, and Ralph Lauren, rushing to get their foot in the door. But unless cybersecurity risks in the metaverse are addressed, these companies may not see the success they’re hoping for.

Cybercrime in the real world is already becoming more rampant.

Cybersecurity firm Check Point reported a 50% increase in overall attacks per week on corporate networks in 2021 compared to a year earlier. As businesses rush to plant their flag in the metaverse, not all may realize the full dangers of this new world, said Ram.

“Since the contours and potential of metaverse are yet to be fully realized, the overt concerns around privacy and security issues in the metaverse remain confined to only a few ‘tech-aware’ companies,” Ram said.

“As new attack vectors emerge, they will require a fundamental realignment of today’s security paradigms to identify, verify and secure the metaverse,” he added.

Identity security

JPMorgan released a white paper in February which recognized user identification and privacy safeguards as important elements for interacting and transacting in the metaverse.

“Verifiable credentials [should be] easily structured to enable easier identification of fellow community or team members, or to enable configurable access to varying virtual world locations and experiences,” according to the white paper.

Gary Gardiner, who is head of security engineering for Asia-Pacific and Japan at Check Point Software Technologies, agreed.

The same mindset for internet security needs to be applied to the metaverse, he said, adding that security protocols should be as user-interactive as possible.

People are looking at blockchain to identify users, or “using tokens that could be assigned by an organization, or biometrics in a headset you’re wearing so there’s that level of trust so you actually know who you’re talking to,” he said.

Gardiner also suggested having “little exclamation marks” above avatars’ heads to signal that a person is untrustworthy.

Data breaches

As users leave trails of data around the metaverse, one major problem in the real world may also cross into the virtual reality world — the invasion of user privacy by tech companies.

The 2018 Facebook and Cambridge Analytica scandal, for example, saw millions of users’ data harvested and used without consent. In the metaverse, there may be even more data available for these companies to feed on if strict regulations are not put in place to protect users.

We need a national framework for privacy, says Tusk Ventures CEO Tusk on regulating the metaverse

When users are wearing devices like virtual reality headsets, organizations can collect data such as their head and eye movement or their voice, said Philip Rosedale, founder of Second Life, an online world that allows people to hang out, eat and shop virtually.

“Meaning within a few seconds, we can identify it is you exactly wearing the device. This is a very serious potential privacy problem for the virtual world,” he said.

What can be done