As Big Tech firms begin to dive head first into the metaverse, Microsoft is urging the industry to make cybersecurity a priority and establish core security principles before the emerging technology becomes too advanced and vulnerable to exploitation.
In a blog post, Charlie Bell, the company’s executive vice president of security, compliance, identity and management, warns organizations about the possibilities of widespread social engineering and cyberattacks in the metaverse, including fraud and phishing.
Microsoft, along with other companies such as Meta and a handful of others, are early adopters of the metaverse. Microsoft’s early foray into the emerging technology is largely isolated to Microsoft Teams for virtual reality meetings.
According to Bell, new technology is often a goldmine for fraudsters and hackers, including in the early days of the internet, Wi-Fi, and smartphones. These technologies developed too quickly for IT and security professionals at organizations to develop policies around their use, leading to significant security concerns.
“We can logically expect metaverse-influenced features and experiences to arrive at enterprises in much the same fashion,” Bell writes.
Calling security a “team sport,” Bell calls for each vendor dabbling in the metaverse to collaborate and share information about security concerns, similar to how the tech industry now largely collaborates when it comes to identifying threats and working together on security issues.
Bell says attacks on identity, still the most prevalent cybersecurity concern, are likely to appear in the metaverse. Rather than a fake email from a bank, it could be a fake avatar of a teller in a virtual bank lobby asking for information, or an impersonation of a business leader inviting the user into a malicious virtual conference room.
Securing identities in the metaverse is now the top concern as organizations looking to adopt this technology need to know that it won’t expose them to new security threats. Security tools such as advanced authentication and tools that allow IT admins to govern access to multiple cloud apps will be necessary in the metaverse, Bell writes.
In addition to applying modern cybersecurity concepts to the metaverse, vendors operating in this space should be required to be transparent and interoperable. Much like software vendors, metaverse vendors should expect loads of security questions and be prepared to quickly release security updates.
“There must be clear and standard communication around terms of service, security features like where and how encryption is used, vulnerability reporting and updates,” Bell explains. “Transparency helps accelerate adoption — it speeds the learning process for security.”
With other emerging technologies, the metaverse market is expected to be competitive, and new innovations will come rapidly, leading to uncertainty in how exactly the metaverse will evolve over time.
“But we do not need to predict the ultimate impact of the metaverse to recognize and embrace the security and trust principles that make the journey a safer one for all,” Bell writes. “Let’s make the lessons we’ve learned about identity, transparency and the security community’s powerful collaboration our top ideals to enable this next wave of technology to reach its full potential.”