What are the implications of these new virtual platforms for our life and work?
There has been significant hype and discussion about “metaverses” ever since Facebook owner Meta announced their metaverse concept in late 2021. But what is it, and what does it mean for those of us working in cyber security and insurance?
The concept of ‘immersive worlds’ or ‘virtual worlds’ is not new. The seminal Lawnmower Man film of 1992 introduced the idea of virtual reality to a pre-Internet global audience, while the term ‘metaverse’ comes from the novel Snow Crash, also published in 1992. However, the tech has developed considerably since then: powerful computing, fast internet connections and high quality graphics are within easy reach across most advanced economies. This means new possibilities exist for commerce, work, learning & skills development, leisure and communication to happen in these virtual spaces.
Existing games and platforms such as Minecraft, Roblox and Second Life have been claimed to be ‘metaverses’ but the new wave of immersive worlds are more sophisticated, offering a wider range of uses, products and experiences than just computer games: a meshing together of the physical and digital world, creating a new online digital economy.
Meta says its “Metaverse” will enable users to “explore virtual 3D spaces where you can socialise, learn, collaborate and play” with people who “aren’t in the same physical space as you.” It will also integrate with its existing products such as Facebook, WhatsApp and the Oculus Quest VR headset.
But before we get too excited about the possibilities promised by these new offerings, it’s worth considering the implications for organisations, especially given many of us already struggle to manage risks related to existing workplace technologies. The latest research suggests only 51% of businesses currently take action to identify cyber risks[1].
For example, metaverse technologies are generating huge amounts of new data, much of it of a personal nature. Advancements in facial tracking, haptics (tech which stimulates the senses of touch and motion) and brain-computer interfaces (where brain signals are sent to a device to carry out a desired action) mean data collection will not only become greater, but also more personal to the individual. Personal data must be protected under the Data Protection Act 2018 – with organisations liable for large fines if there are breaches – so organisations will increasingly need to ensure they have the right security measures in places to safeguard this data.
Immersive worlds could potentially be used to distribute malware, scam people, or engage in other illegal activities which could lead to disruption to businesses or harm to users. The convergence of other new technologies, like quantum computing and AI, could also exacerbate security issues. The government’s newest department – the Department for Science, Innovation & Technology (DSIT) – is examining these issues to understand the risks and opportunities for UK PLC.
As with all new tech, immersive worlds present new opportunities for bad actors: a greater attack surface, larger amounts of data, new ways to distribute harmful content and a novel challenge for hackers to get their teeth into.
New research[2] from DSIT shows 32% of businesses suffered a cyber breach or attack in the past 12 months, with companies losing money, data and reputation, whilst experiencing operational disruption and incurring clean-up costs. Fraud has moved online, with an estimated 4.5 million fraud offences committed in 2022, the vast majority carried out online or enabled via the Internet. And ransomware is currently a significant threat to businesses, with the National Cyber Security Centre (NCSC) recently highlighting ransomware as “the number one threat to the UK digital economy.”
These threats are likely to remain issues in immersive worlds. So just as the Internet enabled the development of digitised versions of existing crimes – such as fraud, identity theft and harassment – there’s no reason to expect immersive worlds will be any different.
If we’re buying and selling things in virtual worlds we will need secure payment methods and ways of sending and receiving goods and services. If we’re performing our workplace duties in virtual workplace environments we will need trusted and secure ways of storing our data. If we’re sharing sensitive information with our customers and clients, we’ll need ways of authenticating people’s identities. If things go wrong we may need insurance to back us up.
Above all, managing the risks created by these digital environments will require many of the techniques which are already recommended today. So what can we do to prepare?
The good news is the tools and knowledge to support our security and privacy online already exist. Good organisations with a mature approach to technology already work to achieve effective management of digital risks. Free guidance such as the NCSC’s 10 Steps to Cyber Security set out how organisations can take a comprehensive, organisation-wide approach to understanding and managing cyber risk. The Board Toolkit offers resources designed to encourage essential cyber security discussions between the Board and their technical experts.
There are also a number of free tools to improve cyber resilience, as part of the government’s £2.6 billion National Cyber Strategy. NCSC’s ‘Early Warning’ Service notifies registered users of possible malicious activities and vulnerabilities. The new ‘Check your cyber security’ tool provides a quick and simple scan for browser and system vulnerabilities, whilst the Cyber Action Plan produces a tailored ‘to do’ list for small businesses.
Finally, the Cyber Essentials scheme sets out the first-order technical measures all organisations should have in place to protect against the most common threats on the Internet. Over 125,000 Cyber Essentials certificates have now been awarded to businesses and organisations of all sizes and in all sectors. Larger firms – including those in the finance and insurance sectors – are increasingly using Cyber Essentials as a way of assuring that the businesses in their supply chains have a good, basic level of cyber security.
Good cyber security readiness is a first line of defence which protects industry, end users and the insurance industry alike. So Cyber Essentials is also a good way for insurers to satisfy themselves that organisations buying cyber insurance have basic protections in place. This way, cyber insurance can be focused on covering residual risk, rather than being used as a substitute for having a good approach to cyber security.
Businesses that don’t adopt these actions now are unlikely to be best prepared to adapt securely to new technology uses in the future. This is why those of us working in cyber security and insurance can play an important role in raising awareness of digital risks and helping colleagues understand how to manage them. New devices and software platforms will always emerge, but the principles remain the same: what are the risks, and how do we manage them?
As people working in cyber security and insurance, we should all remember these principles and ensure we share them with our colleagues and our customers.
[1] Cyber Security Breaches Survey 2023, Department for Science, Innovation & Technology (DSIT)
[2] Cyber Security Breaches Survey 2023, Department for Science, Innovation & Technology (DSIT)
This article was written by the National Cyber Security Centre.