The Metaverse is creating exciting new ways to engage in business and customer experience. I remember in 2010, with the advent of Amazon Web Services, there was the same level of excitement and buzz for business transformation to leverage a public cloud service. One of the things we did not do well in 2010 was make sure that we executed the business transformation taking information security and privacy risk in mind. To coin on old phase, we literally leaned out over our skis and many organizations were caught lacking in security and business resilience. Many assumed the emerging public cloud providers would “take care of that” for them. As we launch our businesses into the Metaverse, we should take this journey with information security and date privacy in mind. Here are couple of observations on risks that companies should consider.
The Augmented/Virtual Reality (AR/VR) user devices are an endpoint device that must be managed and protected just like the rest of your end user devices. Many of the AR/VR terminals are Android-based and pose the same risk as unmanaged mobile phones and tablets on your business networks. Unfortunately, it is very early in the development of these AR/VR devices, and many of our Mobile Device Management Tools are not yet compatible with these devices. We have seen a proliferation of Android-based malware over the last few years and these AR/VR devices could pose a significant risk if not protected and managed. My advice is, for near term: do not allow these devices to connect to your business or production networks unless place them in separate, untrusted segment that has only access to the internet.
With the real state in the Metaverse and Non-Fungible Tokens (NFTs) already selling for millions of dollars, there is a virtual gold rush of startup companies burning a trail to provide products, services, and AR/VR environments to a customer hungry to engage. Many companies are not always prioritizing information security and privacy in their haste to be the first to market. For engaging these companies, responsible businesses should do the same level of information security and privacy due diligence that your current do with your third-party risk management. The safer path is to choose established companies that are leaning forward and building AR/VR environments. For the next year or so, you should consider all of these AR/VR environments high risk and should be careful of what type of information you share when leveraging these services.
I think the next three to four years are going to be exciting with digital transformation taken to a 3D level in the Metaverse. However, as we engage in this new business environment, walk through your virtual world with your AR/VR eyes wide open. The threat is already there waiting on us; we must be prepared to resist their continuous attacks.