Organizations have security concerns as they prepare to enter the metaverse

(Image courtesy Riki32 via Pixabay.)

More companies are planning to invest in the new frontier that is the metaverse, but cybersecurity threats are a top concern, according to a study released today by cybersecurity company Tenable.

The metaverse is envisioned as a 3D version of the internet that’s a shared virtual space where people spend their digital lives and engage in social activities, shopping, and more.

The current version of the metaverse is made up of many independent metaverses that don’t necessarily interact with each other at all.  A single unified metaverse is more of an idea than a reality, but that’s not stopping tech giants like Meta, Microsoft, and Google from pouring big money into it.

And other companies are jumping on the metaverse bandwagon.

Nearly seven out of ten — or 68 percent — of 1,500 cybersecurity, DevOps, and IT engineering professionals surveyed in the Tenable study stated that their organizations have plans to do business in the metaverse in the next six to 36 months, with 23 percent saying they’ve already begun developing metaverse initiatives in the past six months.

Bob Huber

Companies are cautiously optimistic when it comes to delving into the metaverse.

While 86 percent of those surveyed in the study said they would be comfortable sharing users’ personally identifiable information between different services in the metaverse, 93 percent said that organizations need a solid cybersecurity framework before offering services in the metaverse.

Security leaders must understand their business’s goals for the metaverse, said Bob Huber, chief security officer at Tenable.

“Without a doubt, security will lag, but our job remains to enable the business,” Huber told Hypergrid Business. “If we understand the goals of the business, we can establish our risk appetite for this new market and manage the risk.”

New business opportunities

Companies think the metaverse could improve their business interactions, with 41 percent seeing improved learning and training and 41 percent seeing remote working and better collaboration as business opportunities, according to the Tenable study.

Companies also hope to increase their profit margins, with 37 percent seeing potential new revenue streams in the metaverse.

And organizations are hoping that the metaverse will improve how they interact with customers, with 44 percent saying it could offer enhanced customer engagement.

(Image courtesy Tenable.)

Security is a top concern

Not all organizations are jumping headfirst into the metaverse, with 41 percent expressing concern about the security and safety of applications in the metaverse, according to the Tenable study.

Only 48 percent of survey respondents are very confident in their organizations’ ability to curb cyber threats in the metaverse.

Security issues were listed as the top three barriers to entry, with 34 percent saying the prospect of security breaches and identity theft, 33 percent saying the lack of clear processes for data privacy, and 32 percent saying the lack of experienced security professionals is a concern.

Satnam Narang

Not all security threats will be new ones, said Satnam Narang, senior staff research engineer at Tenable.

“The older threats, specifically phishing, malware, and ransomware, will have the most immediate and greatest impact to the organizations developing and hosting each metaverse,” Narang told Hypergrid Business. “This aligns with what we found in our report, with 81 percent of respondents saying that it is likely or somewhat likely that these conventional attacks may occur in the metaverse.”

One thing that’s certain, said Narang, is that newer threats will start to emerge as a problem once the metaverse becomes more widely adopted.

“It’s critical that the organizations developing metaverses today do their due diligence to protect their infrastructure from attacks now,” he said.

And most of those surveyed think strategies to strengthen the safety and security of operations in the metaverse shouldn’t be left to organizations alone, with 87 percent saying that the metaverse should be regulated.

Of the new security threats posed by the metaverse, cloning of voice and facial features and hijacking video recordings using avatars is seen as the greatest threat, with 79 percent saying it is very likely or somewhat likely to occur.

According to the study, cybersecurity professionals and DevOps managers are concerned that there is no way of identifying who is actually behind the avatars and that content stored in a virtual environment or metaverse platform can be forged and leaked.

Organizations are also worried that attackers could exploit vulnerabilities that allow them to invisibly eavesdrop in VR rooms, with 78 percent saying these kinds of attacks are very likely or somewhat likely. There is already research by ScienceDirect showing how this could happen.

Just like human identities are protected by usernames and passwords, keys and certificates protect machine identities, and these could be vulnerable as companies engage with various metaverses.

Computer programs communicate with each other through application programming interfaces, which could also be compromised in the metaverse.

Almost four in five — or 78 percent — of professionals surveyed say compromised machine identities and application programming interface transactions are very likely or somewhat likely to happen in the metaverse.


(Image courtesy Tenable.)

Despite security concerns, organizations have some ideas about the steps they need to take to support their metaverse initiatives.

More than half — 55 percent — said their organization would need to train current employees about safe cybersecurity practices to support their metaverse investment.

Organizations that are investing or plan to invest in the metaverse say hiring talent in specialized areas will be crucial, with 52 percent saying hiring more IT support staff, 49 percent saying hiring more cybersecurity professionals, and 46 percent saying hiring more software developers is important.

Alex Korolov