Corporate Fantasyland

Twice today I read “enterprises do this” statements that made me laugh.
Over at SANS the handler wrote “Corporates typically block outbound FTP” while describing Yahoo phishing that had FTP downloaded malware.
Later I was reading the latest AV-Comparatives report. In the discussion of numerous Sophos false positives, the author says Sophos is used in corporate environments where “new software is rarely installed.”
I’ve been looking for reliable statistics about what percentage of companies currently allow a significant percentage of employees to have local administrator rights. When I see statements like the above I wonder if our policies which were once one of the more restrictive are now comparitively lax. Or is it that the authors are merely stating what they wish were true.