The report, Making the Information Superhighway Safe for Business, found that two-thirds of respondents had in the past year experienced a "serious incident" such as hacking, virus attack or credit card fraud.
Small and medium-sized firms in particular blamed fear of cybercrime and lack of resources for their reluctance to develop e-commerce. Although 94% of respondents had a Web site, less than 20% of SMEs engaged in transactional selling compared to 70% of big businesses.
Confidence surrounding business-to-business (B2B) online security - with 53% of respondents regarding it as safe - was higher than that surrounding business-to-consumer (B2C) security, with only 32% believing it to be safe.
Most respondents (69%) were more fearful of damage to their reputation caused by becoming a victim of cybercrime rather than any financial losses they might suffer because of it, which many thought would be negligible.
Digby Jones, director-general of the CBI, said the survey showed that "fears about potential losses and damage to reputation from cybercrime are stalling the growth of e-business, especially for business-to-consumer transactions. That will only be overcome when all parties are reassured that adequate security is in place to protect them."
Hackers and viruses are considered the biggest threat and accounted for 45% of reported security breaches. Disgruntled former employees and organised crime each accounted for 13% of reported security breaches, while current employees perpetrate 11% of cybercrime.
The report's findings have led the CBI to urge firms to do more risk assessment to combat cybercrime rather than just relying on technical controls. It also highlighted the fact that almost 40% of respondents did not have a board director responsible for cybercrime risk management.
Jones called for measures to help stamp out cybercrime, urging the government to "keep the law up to date and make sure it is properly enforced".
Key recommendations include the creation of a UK Centre for Cybercrime Complaints and an extension of the powers of the Computer Misuse Act 1990 to cover denial-of-service attacks.
Clive Edrupt, a CBI legal officer, said: " These recommendations will be going to the government. We will be lobbying the government to change the law."
But Peter Sommer, an IT security expert at the London School of Economics, said that businesses should not rely solely on the law to protect them. "There is a terrible tendency for people in the computing industry to say the government should do this or that. I am not saying there is no problem with cybercrime but businesses are simply not taking enough precautions to look after themselves."
The survey was sent to CBI member organisations of varying sizes and received 148 complete responses.