Does your avatar really get disconnected when you log off from the Metaverse? Does cyber bullying really stop after you have left the game/platform? Can an imposter steal a business secret from a competitor’s virtual event in metaverse? If the metaverse is beyond virtual reality, your digital self is a hacker’s paradise in an ever-open, hyper-connected and socially engineered ecosystem. As per a Chainalysis report1 , the total cryptocurrency value received by ransomware addresses amounted to USD406 million in 2020. At the same time, phishing attacks (crypto wallets), and DeFi hacks and fraud continue to rise. Cybercrime as an industry is expected to balloon from USD6 trillion to more than USD10.5 trillion by 2025, and a good part of it is believed to be in the Metaverse world2 .
As the Web3 continues to scale further with its open yet decentralised mission, user demands will continue to grow as more NFTs/fungible tokens gain mainstream adoption. Further, as users hop between two subsets within the Metaverse, there is an increased need for cross-pollination of data sets, avatars, which would require a security framework that is standardised and covers the entire digital footprint of the user across platforms. Today’s technology platforms need to envision security right at the start of envisioning an immersive cross-platform digital experience.
Yesterday’s physical world security structure needs a relook and a stitch at all dimensions – network, code, devices, APIs/data exchanges, application, information, user and data security. The last three are critical in the context of metaverse. The user data that traverses different multi-verses will remain critical; hence both user management and data pertaining to the user will need end-to-end protection. So, it not only creates an added onus on the CISOs and CIOs to stitch the physical and virtual world but also on the broader technology ecosystem, which needs to move away from a siloed/proprietary security model to a ‘network dominated federated’ model.
The Metaverse landing needs CISOs to first focus on:
- Securing the end user by adding layers with AI: As the compute gets cheaper, the bandwidth to support multiple apps on a single VR device increases even further. Hence, the end device inevitably needs to be wrapped around configuration data layer, source code layer and host data layer. This could also mean infusing risk-free AI based ethical synthetic decision making in the Metaverse which require ‘portable identity’ – without sacrificing CX
- Adapting to real time security assessment: To mitigate a risk on paper is different than reducing the risk in a real/digital world. Even the most sophisticated RSA keys can be broken in real time. The vulnerability assessments happen on a monthly/quarterly basis, but the threats and incidents emerge in real time across the entire ecosystem. Further, if this real time security need is linked to opportunity cost, the ‘secure-by-design’ approach will have a buy-in from business right at the start.
- Nurturing continuous training and awareness mindset: Each activity linked to branding/marketing/selling in Metaverse means more training and awareness for the employees and customers.
- Engaging with governments and ecosystem to include a co-regulation angle: For achieving higher levels of transparency with government entities, competing organisations, partners and customers, CISOs need to move away from a company-specific to ‘network driven’ or ‘ecosystems-led’ model.
But the Metaverse runway also needs to adapt a lot quicker (with more political will and multi-state co-operation):
- Unlike how the internet evolved with regulations like CCPA, SHIELD Act, GDPR and others, special attention needs to be given on evolution of mandates for consumer data protection in the Metaverse world. A governance mechanism which supports interconnectivity and portability of avatars should be augmented with national digital IDs such as India Stack, Singapore’s National Digital Identity Stack, and others for not only establishing trusted and secure digital identities but also protect private and personal data, safeguard rights and further enforce legal frameworks for adjudication of grievances.
- Policing on fake content/avatars which also sets out conflict resolution addressal mechanism along with propagating safe usage and contextual privacy would also be required, as Japan and the UAE lead their way into policy shaping with DAOs. The state and Central government departments should, in consultation with the industry, roll out regulations on compliance, identity and perhaps introduce real-time probes with blockchain-based authentication to make the virtual world safer and more secure.
As with any new technology mainstream adoption, regulations and security implications are always an after-thought by the government, but the Metaverse policy shaping could change the way how industry leaders embrace threats for a bold new landing in a virtual world. Let cyber security not be an after-thought or a silo-ed effort in the Metaverse.
 2021 Crypto Crime Report, Chainalysis, May 2021
 Cyberwarfare In The C-Suite, Cybersecurity Ventures, November 2020