A new report has revealed it took one NSW government department 49 days to shut down an email hack.

A new report on cyber security in the public service by the state's auditor-general Margaret Crawford (PDF) uses the attempted financial fraud as a case study to argue for better cyber security practices.

In 2017, fraudsters gained access to a NSW government email account and used it to send deceptive emails to find out the credentials of finance staff.

Two weeks later, the agency's IT provider detected a fraudulent invoice.

By day 20, 300 staff had clicked on the links inside the bogus emails.

This gave the intruders access to about 200 government email accounts, but the agency involved had still not locked the accounts.

On day 36, the incident was reported to the Government's chief information security officer.

Six days later, authorities discovered the initial hacked account was still compromised.

Along the way, the agency’s payments gateway was shut down, and was finally re-opened on the 49th day.

Ms Crawford says it is a clear example that things need to change.

“There is a risk that incidents will go undetected longer than they should, and opportunities to contain and restrict the damage may be lost,” the report said.

“Cyber security incidents can harm government service delivery and may include theft of personal information, denial of access to critical technology, or even the hijacking of systems for profit or malicious intent.”

The report found there is no whole-of-government capability to detect and respond to security incidents.

It makes 11 recommendations for urgent consideration by the State Government, including improved training and reporting systems.

Ms Crawford also recommends cyber security intelligence sharing between agencies be improved, and call for formal links to be created with Federal Government security agencies, other states, and the private sector.

The NSW Government says it will endeavour to implement the auditor-general's recommendations.