Since Mark Zuckerberg rebranded Facebook in 2021, the Metaverse has been touted as the next evolution of the internet.
For businesses, the potential is obvious – in fact, in a 2023 EY study 61% of executives said they couldn’t ignore its potential.
Some have already begun their journey into the metaverse – EY found 47% of UK execs have already started using the technology, which is loosely defined as virtual and immersive worlds.
But as with any exciting new opportunity in this connected world, the metaverse also carries significant cybersecurity and privacy risks. Key threats include data breaches, cyber-attacks, digital identity theft, sexual harassment and unconscious bias.
For instance, cybercriminals stole over $600 million after breaching Axie Infinity’s Ronin Bridge two years ago, and earlier this year, police in the UK launched an investigation into an alleged metaverse-based rape.
If business fail to get to grips with these risks, their ambitious metaverse plans could fall flat. Worse still, they could be exposed to financial loss, repetitional damage and legal repercussions. So, how can business leaders mitigate those risks while venturing into the metaverse, and who is responsible for keeping these new virtual worlds safe and secure?
The key concerns for businesses moving into the metaverse are data privacy, unauthorised access by cyber criminals and transaction security, according to Kim Currier, head of partnerships and marketing at virtual world maker Decentraland Foundation.
Currier urges metaverse companies to prioritise the safety and privacy of their users as cybercriminals continue to find ways to breach virtual environments. She tells TechInformed: “Maintaining the integrity of transactions and safeguarding user privacy are critical for building trust and ensuring functionality within the Web3 ecosystem.”
Cybercriminals may see a unique opportunity to target metaverses as their “immersive and interconnected nature” makes them a rich source of data, says Samuel Huber, CEO of immersive technology company Landvault.
He explains that without safeguards like advanced encryption or multi-factor authentication, the metaverse is highly susceptible to cyber-attacks and data breaches. According to Huber, other big security challenges businesses face in the metaverse are “verifying user identities” and “safeguarding intellectual property.”
Hackers may also be drawn to metaverse platforms because they know many users will be early adopters who don’t fully understand the technology or its security risks, warns Jake Moore, global cybersecurity advisor at antivirus maker ESET.
Moore says this lack of awareness could result in users making mistakes such as failing to apply basic privacy and security settings, putting them at increased risk of cybercrime and data loss. He adds: “When such settings are not immediately on by default, often even personal data can be captured easily.”
David Palmer, author of The Business of Metaverse, believes that cybercriminals can extract more information from businesses operating in the metaverse. He also warns users to be wary of threats like deepfakes — digitally manipulated media designed to imitate a person — and account takeovers, adding that the rise of artificial intelligence could exacerbate these issues.
“Some of the solutions to this include digital identity wallets, and the use of Blockchain decentralized digital identity wallets and verifiable credentials which provide increased security and also real time capabilities to verify credentials of businesses,” he says.
With many different metaverses already available on the market and more always emerging, a logical question is whether these cybersecurity risks are ubiquitous or platform-specific.
While admitting that many online threats are “universal”, Huber of Landvault says there could be instances when they vary across different metaverses depending on the security measures and protocols they have adopted.
“For instance, platforms with higher user engagement, such as Meta’s, might face greater challenges in managing security due to the sheer volume of data and interactions,” he says. “Conversely, other platforms may have different risk profiles based on their user base and the type of activities they host.”
Echoing similar thoughts, Kim Currier of Decentraland argues that these risks are not “uniform across all metaverses”. She points out that decentralised, open-source platforms like Decentraland approach cybersecurity, governance and moderation differently than centralised offerings developed by the likes of Meta.
Currier says decentralised platforms involve their users in the governance process, encouraging them to “hold each other accountable” and work together to “resolve issues as they arise”. Using these insights, she says platforms can issue technical fixes and prevent future security issues. On the other hand, centralised metaverses make all key governance and security decisions without involving their communities.
With multiple stakeholders shaping the key decisions in metaverses, who is primarily responsible for their safety? Sean Wright, application security lead at scam protection specialists Featurespace, argues that it is a “shared responsibility” between platform makers and users.
He says metaverse developers are responsible for securing the underlying infrastructure of the platform, although the security of individual accounts and virtual environments is up to the users.
At Decentraland, Currier also views security as a “collective responsibility”. She says the platform should lay down the “groundwork for security”, allowing users to protect their assets and personal information.
But ESET’s Moore thinks the buck should ultimately stop with platform makers regarding cybersecurity matters. He adds that they should protect their users by developing stringent security and privacy settings and providing support and guidance on staying secure in the metaverse.
With metaverses still in their infancy, author David Palmer says it makes sense for platform owners to handle cybersecurity-related issues. However, as virtual worlds evolve and expand, he expects lawmakers and regulators to take a more active role in their governance.
He says governments will work with metaverse platforms to ensure they are taking sufficient steps to “protect their services” and maintain the “integrity” of their identity credentials and, if offered, digital currencies.
Businesses that fail to secure their virtual assets in the metaverse can be affected financially, reputationally and legally, says Huber.
“These incidents result in substantial financial setbacks and erode user trust,” he tells TechInformed. “For example, the breach in the Axie Infinity platform led to the loss of millions of dollars worth of digital assets, highlighting the importance of stringent security measures.”
For Wright, data breaches present the biggest threat to enterprises based in the metaverse. He says they risk losing intellectual property and sensitive customer information to cyber criminals without adequate data protection.
Moore, however, believes the threat of metaverse-based data breaches to be “low” as adoption of the technology “remains slow”. Should this change in the foreseeable future, he says businesses should prepare for “more targeted attacks”.
Currier and the Decentraland team have seen first-hand the impact that cyber attacks can have on Web3 users. She describes a recent crypto wallet breach that affected a respected community member as a “huge blow” to everyone involved.
Eric Pulier, CEO of web3 platform Vatom, says enterprises that don’t secure their virtual environments could expose their staff to issues like bullying, sexual harassment and bias. He adds: “Further any documents or discussions exposed in the spaces can fall into the wrong hands if access controls are weak.”
As businesses enter the metaverse, they should adopt a range of best practices to protect their digital assets and data. Landvault’s Huber recommends that they invest in advanced cybersecurity solutions, conduct regular security audits, provide cybersecurity awareness training for staff and enlist the support of cybersecurity firms.
“For example, frequent security assessments can help identify and address vulnerabilities, while training programs can raise awareness about the importance of data protection,” he explains. “Working with leading cybersecurity firms ensures that enterprises stay ahead of emerging threats and implement the latest security technologies.”
Currier advises businesses new to the metaverse to get reputable experts to audit their smart contracts and to train staff on the cybersecurity threats they may encounter in the digital world, such as suspicious files and links.
Daniel Field, global head of blockchain at digital transformation agency UST, suggests that choosing open-source metaverse platforms could protect businesses from “misbehaviour” and “security vulnerabilities” in the virtual world.
“To maintain best safety practices, enterprises can support open initiatives for privacy preservation and enhance, adopt, and enforce the standards that foundations and other actors are already developing,” he says.
While the metaverse is still in the early stages of evolution and adoption, ESET’s Moore says developers can use this as an opportunity to “automatically protect accounts” by making “and security measures” a default feature of their platforms.
For businesses undeterred by these risks, Wright suggests that they only upload “non-sensitive information and data” to metaverse platforms.
Despite many businesses feeling optimistic about the future of the metaverse, this digital world will be unchartered territory for most executives, employees and customers. Therefore, it’s vital that enterprises take time to understand all the risks involved with using the metaverse and, if they decide to press ahead with metaverse adoption plans, take steps to mitigate them. Without proper safeguards, the metaverse could do more damage than good for enterprise users.
Subscribe to our Editor's weekly newsletter
Newsletter
Share
