Sadly, it’s not hyperbole to say that literally every week we hear of a new data breach. In September, we learned that Equifax, one of the United States’ three major credit reporting agencies, fell prey to a breach that impacted 143 million American consumers, exposing Social Security numbers, home addresses and other sensitive personal information. We also recently learned more information about Yahoo!’s historic data breach that occurred in August 2013. While we originally thought “only” one billion accounts had been compromised, we’ve come to find out that every customer account that existed at the time (three billion in total) was affected. And these are only the big ones.

October is National Cyber Security Awareness Month, during which organizations and news outlets serve up recycled tips on how to keep our identities safe. We all know what those guidelines are: change your password often, and make it more complicated. (It’s an annual joke, but 2016’s most common password was still “123456.”)  But the problem is, passwords don’t work. In 2016, all five of the biggest data breaches of the year involved compromised, weak or reused passwords. Moreover, only 16% of people follow password best practices by maintaining a unique password for each of their online accounts. To add insult to injury, the creator of the guidelines we all use to create our passwords – Bill Burr, whose 2003 report recommended using numbers, obscure characters and capital letters and updating regularly – admitted this year that he messed up.

With this context, it’s a good thing that the other oft-cited tip is to adopt two-factor authentication: that is, coupling a user’s password with another step (often, a text or an email) to authenticate. A much better practice, but – regrettably – consumers are falling short here, too. According to a joint study by the University of Maryland and Johns Hopkins University, the 2FA adoption stats are pretty bleak: only 25% used 2FA on all of the devices or services that offered it; 28% never used 2FA; and – of those who never use it – 41% cited inconvenience.

With data breaches happening on a frighteningly regular basis, this last data point is telling. As Bloomberg reported, the sheer number of breaches can lead to a “security fatigue” amongst consumers, causing risky computing behavior. Consumers have the option to use fingerprint authentication on their phones but many default to the typical PIN – something we know is easily stolen. An overwhelming amount of people find many of the above processes (two-factor authentication, for example) unnecessary or obtrusive – just a few of the reasons why they tend to secure their data and personal information using nothing more than a weak password.

With each subsequent breach, we all get up in arms – and yet, our practices have not changed. It is the true definition of insanity.

The general public has shown time and again that they cannot or will not take the necessary steps to protect their online data and identities. So, it is up to us, the enterprises and institutions who interact with them on a daily basis, to make this decision on their behalf and demand that our consumers adopt better security measures –  and find it easy to do so.

Enterprises must see the necessity in changing their authentication practices in a way that carries over to consumer habits. Yes, this is a complicated and likely expensive charge, but it is absolutely possible: look what Apple has accomplished with changing consumer authentication methods – first, with the Touch ID fingerprint scanner, and now, with the introduction of facial recognition.

Many organizations are working with a mix of new and legacy systems, often layered and cobbled together after years of new tech adoption, acquisitions, mergers, and more. And it is a massive task to catalogue these systems; research and decide on new security software; coordinate budget and buy in form the board. Still, many organizations are going through this in-depth process now, with the deadline for GDPR slowly ticking down – what better time to evaluate your legacy architecture and create a more secure environment?

We must shed this deliberate and slow-paced process of change: the time to change our security practices is now. Because, with each new breach and development, it must be asked: when is the last straw actually the last straw?