In recent years, the metaverse has risen from relative obscurity to become the big question mark in immersive technologies. Set to revolutionise not only entertainment, but also the world’s remote-working culture, it is also projected to impact the operations of finance, healthcare, education, and countless other industries, too.
But to implement the metaverse successfully, the new wave of cybersecurity risks that come hand-in-hand with it need to be managed. And, as you’d probably expect, it’s an immense undertaking, challenging and requiring us to fend off threats that are only emerging with the dawn of the metaverse itself.
So, can we learn from the mistakes that we made with web 2.0 or are we doomed to repeat those mistakes once again?
The revolutionary potential of the metaverse
The metaverse is a business opportunity that has already been valued in the billions, reaching a valuation of $46bn in 2020. Goldman Sachs has therefore predicted that the metaverse market size could grow to be worth anything between $1-12tn.
“The metaverse is an evolution of existing technologies, which could become a revolution. I think that's the tipping point we're at now,” explains Lisa O'Connor, Managing Director and Global Leader of Security Research and Development at Accenture.
The primary difference between the metaverse and the technologies that have come before it lie in its new level of immersion.
“Interacting with web 3.0 is really going to give us a sense of place and ownership – both of which are different, because they are usually controlled by platforms or the environment,” O'Connor explains.
“But the aspiration in the full metaverse is that you can create communities; you have a sense of place that you can return to and experience; you also, potentially, have these self-governing organisations, and you create the community, the rules and the governance around that.”
The level of commercial, economic and societal opportunities that are expected to emerge from the metaverse are nothing short of extraordinary.
“The metaverse will have implications in a lot more ways than just commercial uses, and I think it's still yet to be explored,” explains Tony Kagoo, Head of Innovation, Communication, Media and Information Services, UK and Europe. “I would say that the metaverse is still in the ‘hype bubble’. But I come from an innovation background, so my job is to talk about the art of the possible.”
The potential for this technology is huge. But, equally, so is the level of risk involved, unless intuitive, nuanced and water-tight cybersecurity measures are implemented.
What are the risks of the metaverse, and what makes these risks unique?
“The psychological impact of people being in the metaverse is as real as the real world is. So, security in the metaverses is absolutely critical,” states Kagoo.
One of the biggest concerns of the metaverse, naturally, lies in the level of personal data that is being shared and stored on these platforms.
“We need to get it right, in terms of security, privacy and governance and how we're managing people's data. And that's so important in the metaverse, because we have so many different kinds of data,” O'Connor outlines.
“We're getting biometric data; we're getting eye movement; we're getting potential respiratory, cognitive, and all other kinds of behavioural biofeedback, which could create an incredibly personal digital fingerprint.”
For many users, this level of data collection will be seen as incredibly invasive. As a result, companies’ GDPR practices will be put under even more scrutiny.
“It's a balancing act of making sure that you’re doing what GDPR requires and disclose what you're collecting, to be transparent. That's a tall order for the metaverse. And, upon stepping into it, we really have to make sure that we understand what we're collecting, why we're collecting it, how we're using it, and what's happening with that data,” O'Connor advises.
Furthermore, as this increase in data collection exposes users and companies to even higher risks, there is an urgent need for the security of our existing technologies to be improved, before they can be deployed in the metaverse.
“The problem with the metaverse is that it is being built on technologies that exist today – ones that already have a deep-rooted legacy of security vulnerabilities,” states Rick McElroy, Principal Cybersecurity Strategist at VMware.
“Before new cybersecurity strategies can be developed, existing defences for technologies vital to the metaverse, such as 5G, IoT, blockchain and artificial intelligence, need to be fortified. Only then can we ensure a solid foundation for this new virtual realm.”
In this way, one of the cruxes to a successful metaverse cybersecurity strategy lies in adopting a unified approach.
“One of the key things that we need to understand is that it's not just about bringing in different technologies. Since it has so many different stakeholders – like cybersecurity, innovation, government bodies and regulatory bodies – everybody needs to come together to create a safer, more regulated ecosystem,” Kagoo states.
There are a number of organisations and safety initiatives out there that are working to define a framework for these ‘best practice’ cybersecurity measures. These consortiums will prove critical in shaping what the web 3.0 experience will look like and the technologies that it will enable.
“We're at the point to influence some of those things and really figure out how we get the things right in Web 3.0 that we didn't get right in 2.0. And I think that's the exciting opportunity here,” says O'Connor.
Managing, protecting and guaranteeing digital identity in the metaverse
The metaverse’s distinguishing quality is the level of complete immersion that it achieves for users.
“Businesses have a different opportunity here, because it's not a binary journey. Being ‘out’ of the metaverse or ‘in’ the metaverse is not as clear cut,” O'Connor explains.
It’s precisely this level of immersion that gives the metaverse both its value and its highest area of risk. Nevertheless, experts also believe that it can also be utilised to achieve the rigid cybersecurity measures that such personal data necessitates.
“Digital identity will form a critical part of the metaverse. How we do it is something that we are exploring today. For example, Twitter is actually building a solution where they're trying to use facial recognition to identify the age of the person who's going to come into the metaverse,” Kagoo outlines.
“The technologies that we use in digital identity to date, like NFTs, will be combined together to help us to secure the identity crisis that we have today.”
In short, ensuring a secure metaverse will necessitate a harmonious network of technologies, sophisticated user access securities, and careful stewardship of the data that is collected.
“All these technologies need to come together to form that secure ecosystem in the metaverse. So blockchain will ringfence it and digital identity will be our passports in the virtual world,” Kagoo recommends.
“There's tonnes of data that can be collected, but we should only be collecting what we need for the experience, and then act as good stewards and custodians of what happens next with that. I think those are the questions we should be asking as we put our feet in the water,” O'Connor advises.