7 minute read 24 Nov 2022
Testing virtual reality security

Why Irish organisations need to think about metaverse security

By Puneet Kukreja

EY Ireland Cyber Leader

7 minute read 24 Nov 2022

The metaverse could create an extended risk for organisations from a cybersecurity standpoint. Businesses need to move at speed to deploy zero trust.

In brief
  • The first step is to secure the IT infrastructure involved in delivery of the metaverse but also understand that metaverse security goes far beyond IT infrastructure and network security.
  • Security not only of the devices used in the AR/VR environment but of the entire supply chain involved in their manufacture will have to be assured.
  • Ethical considerations are of key importance. Organisations need to pay attention to the health, safety and wellbeing of people accessing the metaverse.

Every so often a new technology paradigm emerges which promises to fundamentally reengineer industries, economies, societies, and daily life. Roughly 10 years since the last such shift – Web 2.0 – we are on the cusp of the next one: the metaverse. A digitally enhanced and immersive world is here to transform the future of the internet.

While nothing is certain, particularly in a rapidly evolving space like this, the metaverse has the potential to change the way we live, work, and do business in ways we can only begin to imagine at present. However, before we rush to avail of the opportunities that this powerful new virtual world is likely to offer, we must consider the learnings from Web 2.0 and Cloud, and reflect on what we can do better to secure the cyber environment.

For the great majority of people, Web 2.0 manifested itself in the form of social media platforms that are almost entirely dependent on user-generated content. Unfortunately, in the haste to avail of easy-to-use services, privacy and security aspects were at times compromised.

We must ensure that we don’t allow that to happen again. No one may yet know the exact form that the metaverse/s will take, but we can ensure that all of them incorporate the concepts and principles of Security by Design, Privacy by Design, and Trust by Design from the very outset.

Identifying the weakest links

In the first instance, it is necessary to understand that this goes far beyond the IT and communications infrastructure and network security considerations normally focused on by cybersecurity professionals.

These are, of course, critically important, but so too are ethical considerations. Indeed, the potential impact of the metaverse on people’s physical and overall wellbeing, and the potential for data abuse and breach of privacy is immense.

The first step, naturally, will be to secure the IT infrastructure involved in the delivery of the metaverse.  The way the metaverse will work will see millions if not billions of people simultaneously entering the new merged world of the physical and the digital, using a far greater range of devices than those in use for accessing social media and the internet today. It will be the largest IoT network ever seen.

The new virtual and augmented reality world will require people accessing it to wear devices such as headsets, haptic gloves, and other pieces of technology which may only exist in the imagination at present or haven’t even got that far yet.

The security, not only of the devices themselves, but of the entire supply chain involved in their manufacture will have to be assured. The software embedded on the devices will also need to be secured. And that’s just the beginning.

Security will need to be constantly updated. That will bring questions as to how it is updated, the measures in place to prevent insecure devices from accessing the metaverse, the permissions required from users to auto-update devices, and whether those auto-update services themselves are secure.

Through the ethical lens

Overlaying that will be a range of ethical considerations that have only begun to be explored. For example, when a person enters the metaverse they will likely do so using a digital representation of themselves. That will require the sharing of an enormous amount of personal data and opens up the prospect of identity breach by internal as well as external actors.

In this instance, the metaverse will be the vector for the cyber criminals to carry out their malicious activities. They will do so by using data gathered by various means to assume the identity of an innocent party – traditional identity theft, except in the virtual world.

They will then carry out transactions, contact other people to perpetrate further frauds, and perpetrate other criminal actions all while under the cloak of a stolen identity.

And these actions will be quite easy to carry out. For example, it is anticipated that a person’s avatar will need only to double blink one of their virtual eyes to make a purchase in a metaverse store or to make a bank transfer while in the metaverse. Sending an authentication notification to someone’s mobile phone is probably not a practical option when someone is immersed in the metaverse.

Three key issues that Irish organisations need to consider are:

That process will require vast amounts of personal data to be held by someone somewhere. The ethical aspects of how that data is stored and utilised needs to be addressed well in advance of the metaverse becoming operational.

It is also imperative for organisations to consider the security of the various retailers and other service providers who will effectively make the metaverse work. The scale and complexity of that undertaking can be mammoth. Millions of businesses across the globe are likely to seek to participate in the metaverse and everything from their identity to the security of their IT infrastructure and services will need to be verified and constantly monitored.

The other dimension that organisations need to take into account is the health, safety and wellbeing of the people accessing the metaverse. We have already seen some of the consequences of social media engagement on the mental health of users. The impact of the metaverse could be of a greater magnitude.

So, what actions should organisations take to secure the metaverse?

Summary

The metaverse is a play pen right now, soon it will be a business. We are aware of the security, privacy, and ethical issues this time around. So, now it’s about putting security, governance, monitoring, and ethics into the algorithms which make up the metaverse from the very beginning. It is also critically important that industry, academia, regulators, and lawmakers understand the key priorities for securing the metaverse.

About this article

By Puneet Kukreja

EY Ireland Cyber Leader