From Gunter Ollmann, VP of Research at Damballa in this post on CircleID:
"...on average, between 3-7% of assets within enterprise networks are identified as being infected..."
"Within the ISP/Telco world that have chosen to deploy the Damballa CSP product, between 18-22% of unique subscriber IP addresses are actively seeking to connect to known C&C servers."Ouch.
Note that this is bot-net infections only, not the broader category of computers infected with malware in general.
When I first started securing systems a couple decades ago there were no external threats. We had Netware, IPX and Arcnet. The only path to a compromise of confidentiality or integrity originated on a keyboard within the campus. There were no external threats. The threat to our systems was from the inside, and the risk from insiders was mitigated by the assumption that we'd be able to pin the actions initiated a keyboard inside our buildings to an individual and that the individual would know that the actions would be traceable. It wasn't foolproof - you routinely read about employees misappropriating employers funds - but as far as I know, it was a manageable problem.
Then we connected our wonderful safe little island to the Internet. It didn't take long to figure out that an action by an outsider, external to our island, was a threat to our systems. The solution? Firewalls, of course. If the outsider can't get in, we can focus on the threat from the inside where we know who is at the keyboard, where they know that we know, and where they know that detection and prosecution is a likely outcome.
Today? Unlike years ago, we cannot associate the actions of a keyboard with the individual sitting at the keyboard. This effectively means that what used to be external is now internal, and what has always been internal is now external. What used to be a fairly clear delineation between something that happened from the outside and something that happened internally is gone. We no longer can assert that we know who is at any particular keyboard, and tracing an event back to an internal keyboard doesn't permit us to presume that the action was initiated by a person internal to the organization.
The external threat is inside your enterprise.