5 MINS READ
In the two years since Meta announced its plans for the metaverse, we’ve seen many enthusiastic claims about its revolutionary impact on entertainment, business, and social interaction.
We’ve also seen some of the intense early focus of public attention move on to other advancing technologies like generative AI.
But, as enterprises put the initial curiosity and excitement around metaverse behind them, they have continued to see the value in developing metaverse concepts, particularly in key business use cases like employee training, onboarding, remote working, and digital twins.
It’s true the precise meaning of metaverse can still be hard to pin down. First coined by science fiction writer Neal Stephenson in 1992, the term broadly refers to the evolution of the internet into a persistent immersive virtual world that people can inhabit and interact with as easily as the real world.
We believe a useful way to think of it is as an ongoing convergence of the physical world with the digital world thanks to a combination of immersive and leading-edge technologies. This includes not only immersive technologies like virtual reality (VR), augmented reality (AR), and mixed reality (MR), but also other related technologies like spatial audio, geolocation services, artificial intelligence (AI), machine learning (ML), blockchain, and quantum computing.
As we move into development and implementation of metaverse, the hard work of deciding how these technologies and experiences will function on a technical level is underway.
Cybersecurity is a critical component of that process. Enterprises must consider how people will connect, collaborate, work, and do business within metaverse environment in a way that maintains rigorous data security and data privacy.
The sooner these questions can be answered, the better. A strong security foundation will be key to building and maintaining users’ trust as they move in and out of the metaverse and the physical world. This will require new cybersecurity models, new policies, and most likely, new regulations, capable of seamlessly functioning in both spaces.
For example, today’s blueprints for data access, protection, transfer, and recovery will need to be redrawn. New encryption protocols will need to be developed and enhanced. And real-time threat assessments and automated defensive actions will be vital to mitigate the risks of cyber-attacks, among other priorities.
Metaverse cyber strategies will need to account for trends and risks in both physical and virtual worlds at the same time — bringing complex geopolitical, social, and even environmental considerations into play.
To this end, we suggest a series of cybersecurity considerations that enterprises will need to start addressing now as they continue to develop their metaverse strategies and experiences.
#1 Real-time risk assessment, visibility, and analysis
One of the distinctive features of developing metaverse concepts is the amount of new hardware and data involved. This isn’t only a question of giving employees new VR and AR headsets, but also managing the myriad other data sources that might feed into metaverse experiences—from in-car displays and Internet of Things (IoT) devices to sensor-equipped machinery and autonomous drones.
The vast volumes of data flowing to and from this huge influx of hardware will all need to be configured, updated, analyzed for risk, and secured. It will require a massive integration and cybersecurity program similar to what enterprises had to go through when they had to incorporate employee mobile devices into their networks.
As part of this, companies will need to consider protecting transactions and activities with a rapid, real-time ‘on-the-go’ assessment and analysis of cyber threats. This will be critical in enabling risk and cybersecurity teams to instantly identify and mitigate any cyber-based incidents across a complex metaverse hardware landscape.
This capability could also be used to deliver real-time warnings to end users about possible threats to their data and privacy, and the impact their actions in the metaverse might have on other users. However, a delicate balance will need to be struck in order to deliver these real-time alerts without spoiling the immersive experience.
#2 Enhanced encryption
It goes without saying that all this new data will need to be stored with watertight security. That’s even more important given the new types of information that will be collected in the metaverse.
This includes not only personal biometric data—facial expressions, eyeball movements, emotions, voice, other physical information—but also data about people’s immediate environment, as well as numerous other business-sensitive datasets. Consider, for example, that many VR/AR headsets have external cameras to capture data about the space around the user. The attraction of this kind of data for hackers and bad actors is obvious.
However, the sheer volume of data that will need to be transmitted to and from devices in real time will test traditional encryption methods to breaking point. Those methods simply won’t be able to encrypt the data efficiently enough to deliver a seamless immersive experience. As such, data security, transfer, access, and recovery blueprints will need to be reimagined. New encryption protocols and methodologies, such as quantum cryptography, will need to be considered.
#3 Redefined privacy
Storing this data securely is one thing. Using it in the right way is another. The potential for organizations to use the data irresponsibly–even inadvertently–is significant.
Imagine employees going through their annual performance review with their manager remotely through an immersive experience. Their device may pick up any number of signals—facial expressions, eyeball movements, voice sentiment—they might prefer and expect to keep secret. Anyone who’s ever secretly rolled their eyes in a meeting will understand the risk here.
The key point is that enterprises must be willing to refresh their user privacy protections and ethical guardrails as they develop metaverse experiences. To maintain user trust, they must be clear and transparent about what data they’re collecting and how it will—and won’t – be used.
Over time, we may see a shift towards users taking more ownership of their data and exercising greater influence over how it can be used. In the consumer-facing space, companies may need to consider ‘quid pro quo’ arrangements, in which users are rewarded with better experiences or similar benefits in return for access to their data.
Ultimately, given the high potential for data misuse, this is likely to be something governments and regulators start to address, possibly even through international agreements. We’ve already seen movements in this direction in the European Union with GDPR and similar laws in California and New York.
However, enterprises shouldn’t simply sit on their hands and wait for metaverse cybersecurity regulation to happen. They should look to be active participants in the development of those regulations and policies. And in the meantime, they should consider stringent data privacy and ethical safeguards as a core part of running a responsible and well-respected business.
#4 Adaptive security
The sheer amount of data to be secured in the metaverse will require companies to consider technological as well as human solutions. Fortunately, rapid advances in AI will offer a host of new opportunities.
AI-driven adaptive cybersecurity will be able to analyze and learn from vast amounts of data in real time, identifying patterns, spotting anomalies, and taking immediate action on a scale and with a speed human analysts could never hope to match.
Such adaptive safety control systems would monitor data, assets, systems, and transactions, predicting, preventing, and responding to issues in real time. At an individual level, an example might be alerting cybersecurity teams that a user has started behaving unusually—or even shutting down their access automatically.
But adaptive security could also operate at the enterprise or even metaverse-wide level to identify broader information risks and cyber threats. These broader risks will become ever more relevant as the metaverse continues to merge physical and digital worlds. The potential for actions in one to influence outcomes in the other will increase dramatically.
On the one hand, metaverse experiences will become reliant on real-time data from the real world – weather patterns, user data, social media, and so on. On the other hand, metaverse environments will themselves increasingly affect that real world. Think, for example, of a digital twin of a manufacturing plant providing insights to improve the performance of physical machinery in real time.
The point is, metaverse cyber strategies will need to account for trends and risks in both physical and virtual worlds at the same time—bringing complex geopolitical, social, and even environmental considerations into play.
A core concept of the metaverse is that individuals, assets, purchases, and spaces have a persistent virtual identity, just as their equivalents do in the real world. Users will be able to come and go at any time, pick up where they left off, and switch between different virtual spaces, in a completely consistent and seamless way.
For enterprises building metaverse experiences, this need for seamless integration has significant implications for interoperability and access management. Put simply, user experience will be severely diminished if employees or customers are required to laboriously log in and out of each different virtual space they want to enter.
A good analogy would be a shopping mall that asked customers to verify their identity before entering each store. The negative impact on the user experience is so obvious it hardly needs stating. And yet, to avoid that happening in the metaverse, companies will need to find ways to manage the transitions between different virtual spaces securely.
This is not something that any one company can solve on its own. It will need cross-industry standardization and interoperable security protocols, like those agreed for internet payments. Companies will therefore need to come together, forming cross-industry organizations to agree on standards for ensuring transitions within the metaverse maintain watertight security.
Beyond the hype
User experience in the metaverse will be dramatically different from the way we experience the internet today.
But data security threats in these environments will be equally distinct and varied. Therefore, we believe the metaverse calls for a new approach to cybersecurity, following the five considerations outlined above.
Now that we've moved past the hype stage, we can start the real work of building productive metaverse experiences that deliver value for customers, for employees, and for businesses. The key is to ensure this next iteration of the internet is secure by design and cyber resilient from day one.