The survey of more than 1,200 small businesses found that 57% had suffered damage from virus attacks, and 50% of those attributed their problems to misuse of IT equipment by staff.
Businesses said staff downloading non-work-related applications, opening infected e-mails and deactivating security software posed the main risks to security.
Although 75% of companies had polices against downloading non-work-related material, 66% believed that staff had done so in breach of policy.
The most popular downloads were audio and video files, cited by 66% of firms, software (56%), instant messaging applications (52%) and peer-to-peer software (31%).
The practice places companies at risk from viruses which exploit peer-to-peer software and instant messaging to spread.
"Downloading software from the internet is a cardinal security sin for any user," said Sal Viveros, small business director at anti-virus supplier McAfee.
"The rules are simple and should be strongly enforced by the IT department - if it is not work-related, it shouldn't be on your PC."
The survey found that 75% of firms regarded viruses as the biggest threat to their business, although 8% identified data theft and 7% cited hacking as risks.
The majority of respondents had anti-virus and firewall systems in place on servers, desktops and gateways. Less than 25% had systems to stop hackers, and less than 50% used anti-spam filters.