Tolkien immortalised the idea of blocking access to a specific area with the famous line used by Gandalf at the bridge of Khazad-dûm, “Thou shalt not pass”. Gandalf, in the Peter Jackson’s movie, uses the modern equivalent, “You shall not pass”, but the meaning is exactly the same.
Nowadays, memes of Gandalf shouting the iconic line circulate online, especially among tech-savvy individuals as a tongue-in-cheek reminder of data privacy and authorisation. But underneath this funny meme lies a real need for businesses to control who has access to their data, websites, and premises.
In 2026, more than ever, there’s a need to keep strict control over who is gaining access to your business. Businesses are complex entities that handle a variety of elements, ranging from highly confidential data to high-value products. As a result, it is in their interest to ensure that they do not make themselves accidentally vulnerable by keeping an open-door-likepolicy over the access to their assets. Assets, whether they are physical or digital, are valuable and an inherent part of a business revenue-generating processes. Naturally, you can take out insurance covers to protect your assets. Yet, even the best insurance plans require businesses to take preventive protection measures.
So, what can a business do in 2026 to control access strictly?
Image from Lou Lomas: The Mindset Hacker – Medium
Security Guards
Does every business require manned security services? The answer can vary greatly depending on the type of businesses, but as a rule of thumb, security guards are here to prevent risks of theft, vandalism, and violent behaviour on the premises.
So, typically, you would find security guards on business premises that are open to the public, such as large shopping centres, retail stores holding highly valuable items, and areas that are designed to be available to large volumes of individuals, like airports, healthcare centres, and large event venues.
Guards can act as a deterrent in many cases, encouraging people not to engage in anti-social behaviours. But, in some cases, security guards are also here to prevent anybody from gaining access to areas they shouldn’t, such as ensuring staff-only areas remain undisturbed by the public or keeping unwanted individuals off the premises.
CCTV Systems
Security cameras are a must-have addition to businesses handling valuable assets and sensitive information. In most cases, the installation of a CCTV security system is a condition that the business must fulfil as part of taking business insurance protection.
Typically, for high-risk businesses, it is a common measure to have high-quality CCTV input for both day and night environments, which includes night vision security. With a variety of nighttime technologies to enhance vision in the dark, businesses can ensure:
- They protect their premises from intruders
- They have the tools to recognise high-risk from low-risk situations (aka a human trespasser versus a passing stray cat)
More often than not, security cameras are also linked to a full surveillance and monitoring solution, which will also feature sensors for motion and thermal detection, automatic notification to the property management team, and direct notification to the authorities for abnormal events on the property. This is not just designed to prevent access, but also to collect evidence of unauthorised access and get immediate support to remove unauthorised individuals from the premises. In other words, the system doesn’t just control access but also fully manages it, even outside of business hours.
Access Control Solutions
Not everyone should have access to every area of the business. In large organisations, for example, some services are tasked with handling hyper-sensitive data or services. It becomes essential to ensure that only the individuals needing to work with these assets have access to them.
This type of access control can happen at different levels, and will also need to include strict vetting strategies at recruitment stages. But once the professionals are in place, there is also a need for a physical barrier in the office, focused on providing a physical security access control to restricted areas. Typically, this will be done through the issuance of passes, which means that the solution to monitor access is fully autonomous and doesn’t require individual checks at each passage.
Additionally, organisations also need to be in a position where they can remotely edit the level of access that individual passes grant, such as, for instance, disabling the access rights for a lost pass.
User Roles Access
Aside from physical access, there is also the worry of digital access, aka who can see which data in the system. This is where it becomes crucial for businesses to define the different data needs and responsibilities of each role. Indeed, not every employee should have access to all data, but similarly, those who have access shouldn’t all have the same type of access.
Why does it matter?
- Some roles may only need to view the data, such as someone receiving data reports
- Some roles may need to manipulate the data set to create different visualisation paths, such as for the creation of reports
- Some roles need to be able to add new data sets and sources
- Some roles can also transform the data, such as editing or removing data
Different data responsibilities also mean different data access control needs.
Authentication Systems
Alongside RBAC (role-based access control), more and more businesses implement digital solutions that prioritise authentication methods. It’s not just a case of knowing the right password.
Typically, multi-factor authentication is used to ensure that the user typing the password is the right person. This can be done by sending a PIN code to an email or a mobile number for validation, or by opening a trusted service-provider app or service (such as opening the YouTube app associated with your Gmail account as an added authentication step when signing into your mailbox).
Permanent Ban
Last but not least, sometimes businesses also choose to actively remove access, such as e-commerce giant ASOS, which has recently put a ban on a group of customers, whose frequent returns have been flagged as suspicious.
Banning users is another way to keep your business safe through tight access control. To go back to Gandalf, this is the closest to guarding the bridge of Khazad-dûm.
Between “You May Pass” and “You Shall Not Pass”, businesses need to deploy a variety of strategies to keep their physical and digital assets safe. In 2026, there can be no room left to luck when it comes to business access.