Cybersecurity Issues in the Gaming Industry Portend Metaverse Challenges
To most people, the term “metaverse” loosely describes the future of life online. Others know that it will be composed of shared 3D virtual spaces linked into a larger virtual universe – something that looks and feels much like a game.
But it’s much more than that. I like the detail provided in this definition by Matthew Ball, who has written an extensive metaverse primer and framework: “The Metaverse is an expansive network of persistent, real-time rendered 3D worlds and simulations that support continuity of identity, objects, history, payments, and entitlements, and can be experienced synchronously by an effectively unlimited number of users, each with an individual sense of presence.”
If that is still hard to imagine (and it is), check out the first four minutes of this video, which showcases virtual reality experiences, one aspect of the metaverse.
Expanding the threat landscape
What isn’t hard to imagine for us in cybersecurity is that the metaverse is going to greatly expand the threat landscape. So the metaverse is more than an imaginative exercise for us; it’s the future — a future we should ideally start planning for now.
The gaming industry’s cybersecurity issues
The gaming industry is already providing and influencing a significant portion of the metaverse’s foundational technology. Beyond technology, its business models are likewise being adapted and leveraged across industries.
The video, music, sports, fitness, medicine, education, and industrial training industries (among others) are already borrowing from gaming — so much so that it’s become a word: gamification — which means the gaming industry’s problems are very likely to translate soon to other verticals and the emerging metaverse.
SOTI gaming findings
At Akamai, we have strong visibility into the cybersecurity challenges of the gaming industry.For example, we tracked 821,648,208 web application attacks in the gaming industry from May 2021 to April 2022, representing an annual rise of 167%. Gaming also remains the industry most hit by distributed denial-of-service (DDoS) attacks, accounting for 37% of all DDoS traffic observed globally, nearly twice that of the second-most DDoS-attacked vertical — financial services.
I don’t want to boil it down too much, but if the gaming industry is a more popular attack target than banking, I’m convinced we’ve got a good indication of where the future of security is headed.
Gaming shows us where the future of cybersecurity is headed.
Gamers offer 3 security insights we can all use
A previous SOTI report, You Can’t Solo Security, featured particularly useful results of a survey of 1,253 hard-core gamers (81% of whom play games every day), which we undertook in partnership with the international gaming conference organization DreamHack (now ESL Gaming).
These findings help us better understand some key issues that will contribute to the success or failure of cybersecurity in gaming and in the future metaverse. They include:
1. Cybercriminals are in it for more than money
Cybercriminals are in it for the money (obvi!), but the value often isn’t in personally identifiable information (PII); it’s in the account itself. Ten years ago, the primary value of any online account was in credit card numbers and any information that could help a cybercriminal get into a bank account.
From gaming, we’ve learned that the accounts themselves have value in the form of a player’s time and in-game items. Stolen gaming accounts that reflect lots of time played and that have accumulated cool gear allow purchasers of those stolen accounts to play at a high level without putting in the effort.
In-game goods can also be sold in third-party markets for real cash. This form of virtual value is already being reflected in the investment community with people buying up NFTs, another area rife with cybersecurity challenges. So, as the world, and your business, move toward operating in the metaverse, securing accounts and access will become more complex and require accounting for the varied account behavior of users.
2. Cybercriminals target those with disposable incomes who make frequent transactions
Cybercriminals are highly focused on industries such as gaming, in which the user community has disposable income and makes frequent transactions. As mentioned previously, the gaming industry continues to be pummeled with web application attacks. Across industries, these kinds of attacks are the 800-pound gorilla in the security operations center, accounting for more than half of all data breaches.
We learned from our DreamHack/ESL survey that 52% have had at least one of their accounts hacked, and 70% have come across hacked accounts being sold online. Consider the state of gaming accounts here to be a bellwether for the treatment of future metaverse accounts across a variety of industries and services.
3. Customers want help
Our DreamHack/ESL survey also revealed that 76% of respondents felt that gaming companies were responsible for account security. However, it was a multiple-choice question: 67% of those same respondents indicated that they, the players, should be responsible as well.
The need to align cross-industry cybersecurity strategies
As every company moves to do business in the metaverse, partnership with your users and employees around account security will become a larger part of the customer experience and the brand relationship, expanding security’s role in the enterprise.
As we move into the metaverse, your organization’s attack surface will grow by levels of magnitude. To keep that “other world” turning, cybersecurity strategies will need to better align across industries, and competitors and their security vendors may all need to work together to keep users’ account information secure.
In the meantime, security leaders and their teams who deeply examine the current state of their account security practices and consider new ways to partner with and train their users will be best prepared to manage other complexities yet to come.
Learn more
Originally published December 28, 2021; updated August 2024.
