GSX Learnings: Virtual Security Starts with Taking the First Step into the Metaverse

By Susan Friedberg

As security practitioners continue to harden the security posture of clients and customers against physical and cyber threats, a new dimension of our world is now emerging and growing – the virtual domain, or the Metaverse.  

Perhaps we have accessed the Metaverse through VR technology and are beginning to engage in gaming, trading, and commerce actively. Many of us are just starting to hear of this emerging technology and concept, hearing stories on the news about cryptocurrency or the newest VR headset. Our heads may be actively buried in the sand – avoiding any discussion that would prevent us or distract us from focusing on our work, as we believe something like an “avatar” or “blockchain” and the Metaverse will never really manifest or impact our customers, and the communities we serve.  

Presenters Mary Gamble (Gamble Legal, PLLC), Lee Oughton (CEO, Co-Founder, Fortress Risk Management), and Jon Harris (Senior Product Manager, HiveWatch) shared in their presentation, “The Metaverse, NFTs and the Future of Security in a Virtual World,” that the world of the Metaverse is real and growing exponentially.  

The Metaverse is not only available for entertainment and gaming but also fast becoming a resource for enterprises to engage in commerce, trading, and banking. We must start to consider the inevitability of how virtual engagement will be a part of our day-to-day lives, both personally and professionally, in the immediate future.  

As with any other fast-growing and underregulated technology, security practitioners have the opportunity to extend our expertise in physical and cybersecurity to understand and start to map out the vulnerabilities in virtual worlds and build security programs that protect users.   

Start with the Basics: Understanding the Lingo of the Metaverse  

First, Gamble, Oughton, and Harris shared that security practitioners should have a basic grasp of the technologies referenced when discussing issues in the Metaverse and some of their applications before we can identify security issues.  

  • Web3: The next generation of the world wide web that is based on a decentralized structure incorporates blockchain and token-based economics 
  • Avatar: a picture or animated character selected by an online user, which represents the online user 
  • Metaverse: a connected network of 3D virtual worlds; an immersive virtual space made possible through the use of virtual and augmented reality technology for users to shop, game, interact, train, and experience 
  • Blockchain: A digital ledger technology that records transactions and distributes these records, or blocks, across a network 
  • Digital Assets: Any type of asset that is created, traded, and stored in digital form that has or will create value and usage rights  
  • Digital Currency: Currency, money, or financial asset that is managed, stored, or exchanged digitally 
  • (Crypto) Token: Units of value that are developed on top of existing blockchain networks, that hold value, and represent a physical or digital asset 
  • Non-fungible token (NFT): A crypto asset that represents real-world objects, such as art, property, goods, or identities 

The Metaverse interacts with core objectives and functions of the security industry such as asset protection, access control, data protection, privacy, executive protection, and ESRM. For example, the use of an NFT, or a non-fungible token, is as ubiquitous as an identity or credential in the physical world but in the virtual world.   

With this understanding, security practitioners can begin to assess opportunities and threats with these technologies and what adaptations are required to remain relevant and practical. 

The Metaverse is Here and Showing Up to Work and Play 

10-15 years ago, we started thinking about how automation, machine learning, and computer vision technologies would be integrated into security systems – simply a vision. Now today, these things are commonplace. McKinsey & Co research indicates that the Metaverse industry will reach nearly $5 trillion by 2030.  

While the Metaverse came to prominence through gaming and social media applications, today, enterprises are using the Metaverse to help view floorplans, tour facilities, or hold remote meetings and conduct crisis and emergency management drills without having to be onsite. Additionally, defense organizations using virtual technology for simulations now benefit further through accessing the Metaverse by bringing new dimensions and overlays to their training exercises.  

Oughton points out to the audience a fundamental reality – we have risk management in the physical and cyber domains, but we are behind on virtual. When a friend, family member, or colleague accesses the Metaverse, we cannot necessarily enter the same world or monitor their activity. Oughton, a Metaverse user, initially took an interest in Metaverse security in the context of executive protection. He cannot fully protect his clients when they enter this virtual domain, so instead of standing idly by, he decided to dive in and see for himself.  

Metaverse users, without these controls or security measures, are vulnerable to the same risks as in the cyber world – harassment, stalking, and hacking. However, in the cyber world, there are monitoring and security systems to help users navigate their digital experience, minimize risk, and prevent compromising their or their employer’s safety.  

The chasm of adoption is not far. Oughton shares that if we as a security industry don’t enter the Metaverse, see where there are threats, and come up with the solutions, threats will come from the outside that does not bring security principles into it, and we will struggle to adapt. 

Anonymity is the Foundation of the Metaverse, Leading to Legal Ambiguity  

When it comes to privacy and data collection, the more you put out, the more that’s being collected. There are no actual structures to ensure your data security and safety in the Metaverse. Users must be mindful of whom they are engaging with on the other side. 

Gamble emphasizes that while there are many laws and regulations worldwide and at the federal and state level related to online commerce, communication, and privacy, there is no clear “internet law” or “digital law.” Instead, we have different laws targeting different components of our digital worlds. Virtual worlds are a new frontier for legislation and regulatory oversight, leaving gaps in legal protections when we personally, our families or our companies engage in virtual worlds.  

Among the most crucial legal gray areas when users engage in the Metaverse include intellectual property rights and regulating virtual assets. Big questions yet to be answered – what happens if you win money through gambling or a lottery or get scammed? How do we authenticate identities, validate information, and track where it goes?  

Jurisdiction is just as much of a gray area – if a person logs on to a virtual world in one state or country, do the laws of their physical residence have domain over the activities they conduct?  

These questions may not have clear answers yet. Still, as more users engage with the Metaverse, there will be more demand for company-level policies and procedures that account for the lack of regulation and oversight of our engagement in virtual domains. Control what you can control.  

Ultimately, Oughton and Gamble emphasize that whether you are engaging in the Metaverse for professional or personal reasons, user conduct in a virtual world should mirror the ethics and standards applied for any physical or digital transactions you engage in. 

Grab a Headset, and Dive In 

Virtual technology and the Metaverse is evolving quickly, with recent public announcements and advancements in this technology. For example, in 2014, Facebook acquired Oculus VR for $2 billion, and in 2021 they launched a significant branding change from Facebook to Meta and announced their investment spending of over $10 billion into Metaverse development.  

There is a tremendous technological opportunity ahead with the Metaverse. Oughton and Gamble share that we do not know today enough about the power of the Metaverse and how commerce and society will change as it grows. The development and use of the Metaverse are developing faster than policies and procedures can be put in place.  

As risk practitioners, we must stay ahead of the threat by first inserting ourselves into the virtual domain, understanding the infrastructure, creating smart policies, and deploying protective measures for users.  

Start small. Start with a first step – learn the language, keep an open mind, and enter this new domain. Oughton shares that he started his understanding of the Metaverse by watching online videos and tutorials on how to access and engage, and it gave him new channels to connect with people who specialize in the Metaverse. Gamble adds practical advice for security practitioners to begin their Metaverse journey – to start with something fun and to explore an area that excites you in your personal life. We do not have to take on understanding this vast technology on day one, but maybe we can start with cooking classes or virtual hikes in remote destinations.  

While ultimately, the Metaverse is designed for fun, community, and engagement and to create a more connected world, any new technology will soon show gaps in its security posture, and bad actors will be able to filter in. The sooner security practitioners engage and understand the power of the Metaverse, the sooner we can apply new standards and practices to protect our companies, families, and assets from emerging threats while also harnessing the power of the Metaverse to enhance our day-to-day lives. 

For more information, contact:

Mary Gamble, Attorney at Gamble Legal PLLC (LinkedIn) 

Lee Oughton, CSMP, COO and Co-Founder at Fortress Risk Management (LinkedIn) 

Jon Harris, CPP, PSP, Senior Product Manager at HiveWatch

Susan Friedberg is the Director of Communications at and Pollen Mobile and an ASIS Member. Reach her on LinkedIn