More and more companies will let staff use their own mobiles to send and receive company data because the cost of doing otherwise is too high, says an industry analyst.
Speaking at BlackBerry maker Research in Motion's customer conference this week, Canalyst senior analyst Pete Cunningham said European firms were largely against using mobile phones for enterprise applications because of the capital and running costs associated with them.
US firms are also reluctant. One delegate said his company measured the cost of the phone against the risk of loss if it disappeared with unprotected company data on it. "No way, Jose," he added.
Firms were fighting a losing battle, Cunningham said. Scarcely 10% of them had "mobilised" their businesses, and sales of smartphones were expected to grow 25% a year from 143.1 million in 2008 to 444.7 million in 2013, he said.
Cunningham said many CIOs were even now tearing their hair out over C-level executives who wanted to access corporate data from their iPhones, rather than (usually) company-mandated secure BlackBerrys. iPhones were the most problematic devices on the market in terms of security, he said, but CIOs couldn't really argue "because the execs run the show".
Letting people use their own devices made the cost argument disappear because the users picked up the costs, he said. It also made seeking a return on investment irrelevant because there was no or very little outlay.
Cunningham predicted that mobility in the enterprise would become a strategic necessity for many firms in the next three to five years. When it did, he said, firms would have to address the issue more deeply.
"Users will have to give up some control over their device," he said. This was the quid pro quo for the convenience of doing their job on the go away from the office with the device of their choice.
In return, firms needed to agree service levels with staff. Not all devices could or should be supported, Cunningham said.
"If staff have confidential company information on their phones, a proper password regime should be mandatory, and they should access it only through a VPN connection because that gives you control."
The level of company control over the device itself was negotiable, he said. Points to discuss were remote locking and remote wiping of data on the device (users' private e-mails and other content might be wiped in the process), as well as back-up and synchronisation protocols.
Other areas where companies had a legitimate interest in restricting usage were access to applications, use of the phone as an external hard drive, use of memory cards, and file transfers using Bluetooth and Wi-Fi, which could compromise confidentiality.
The final matter to settle was the point at which the company would accept total liability for the device and access to corporate facilities and information. At this point, users would pretty much lose control of the device completely, he said.