Small businesses could be leaving themselves at risk of internet attack even if they invest in the latest security systems, the TUC has warned.

According to research by Get Safe Online, the biggest risk to companies is in failing to ensure their staff know best practice when it comes to using the internet.

The study found that 66% of staff admitted to using the same password for multiple websites, 23% had posted confidential or personal information online and 17% had opened email attachments from an unknown source.

"The benefits that the internet brings to UK business are growing every day," says TUC general secretary Brendan Barber. "Social media and networking are increasingly important to people's professional and personal lives.

"But employers must make sure that staff are aware of the dangers associated with working online. Without training, staff may well find themselves the weakest link in the security chain, without ever knowing what they are doing wrong."

The TUC has teamed up with Get Safe Online and the Department for Innovation, Universities and Skills (DIUS) to produce a free online toolkit for staff, entitled Not Safe For Work?

The guide offers advice in the four main threats to workers' online security including:

Malicious software: viruses and other programs that attack your computer and company's IT system

Identity theft: criminals breaking your passwords in order to steal valuable personal and company data

Your rights at work: the do's and don'ts of personal computer use at work and whether you are being monitored

Your privacy online: tips for social networking users, whose personal and work life could be visible to more people they think

The organisations are urging employers to make time available for staff to use the toolkit in the hope of ensuring best practice in organisations.

"The internet is a fantastic place to be and a valuable resource for both individuals and employers," said GetSafeOnline.org managing director Tony Neate. "But having the right software and infrastructure in place is not enough on its own to protect your organisation against online threats.

"Behaviour plays a key part, and knowing what should and shouldn't be done while we're using the internet is just as important. As a result, staff training is an essential part of protecting organisations and employees against internet threats and risks."

The toolkit can be accessed at www.worksmart.org.uk/nsfw