The demo is often the most important part in any commercial software deal. But as essential as demos can be, they can inadvertently become your biggest security vulnerability.
Unpacking the security risks of demos
One of the major security challenges comes when sharing screens with external parties. When on a video call with prospective clients, partners, or even competitors masquerading as prospects, you're opening up a Pandora's box of risk. You might expose sensitive details — a glance at an open Salesforce or Slack tab, a quick look at a message notification, or a glimpse of business data that can be easily screenshotted.
Imagine your demo as an open house, with hundreds of potential attendees, each possessing a copy of the keys. The onus is on you to understand and manage what's being exposed, a task that becomes more difficult with every offboarded employee.
The data visible on your screen can be data mined for URLs, tab titles, and other sensitive information. This exposure bypasses traditional security measures like two-factor authentication (2FA), as the right party is already logged in. Moreover, adept social engineers may ask presenters to display certain screens, creating a new vector for potential attacks.
In some cases, companies may use their internal accounts or tenants for demos, thereby increasing exposure to their internal data. Alternatively, if you use a shared demo environment, you might unintentionally reveal details about other ongoing deals or business operations. Sharing your browser can be likened to laying bare your desk for everyone to see, opening up a wide field for potential information leaks and social engineering attacks.
Moreover, your demo environment security and gating are often overlooked in the grand scheme of things. As many employees need access to demo environments for a variety of reasons, these environments are often hidden behind a single shared password or a secret URL. This presents another challenge in managing leaked credentials and appropriately off-boarding employees.
Consider the scenarios that arise at conferences. If someone manages to sneak a peek at your running demo, they gain insights into your operations, your clients, your data. If they get access to an employee's laptop for even a few moments, the damage could be immeasurable.
Best practices for demo security
So, what are some best practices and solutions to protect against these risks? Here are a few recommendations:
- Acknowledge that sharing your screen is an attack vector. Even once is enough to breach security.
- Consider a browser dedicated solely to demos, pre-configured to avoid sharing unintended information.
- Consolidate and monitor all demo environments and assets that can be shared commercially with prospects.
- Implement strong security measures in your demo environments, avoiding simple shared passwords.
- Maintain an access log for your environments to track who is showing what demo and to whom.
- Regularly audit for personally identifiable information (PII). If you think you're not showing any, double-check. You might be mistaken.
- Assign each opportunity its separate demoing tenant to avoid cross-exposure of prospects.
- Have strong resetting tools in place that can restore the demo environment after each call or at least daily.
- Ensure you can swiftly off-board employees from all demo environments.
Balancing transparency and security in demos
A transparent and accessible demo can make a huge difference to your sales motion. However, it's vital to strike a balance — sharing enough to engage and impress, while safeguarding your sensitive information. With careful planning, diligent oversight, and robust security practices, you can turn demonstrations from a potential security risk into a powerful tool for success.
