The Mumbai attacks exposed vulnerabilities in hotel security. Experts reveal what these are � and what must be done to fix them.

The November 2008 Mumbai attacks could bring changes to international hotel security just as sweeping as those Sept. 11 brought to aviation. By the time the 60-hour rampage that targeted three of the city's top hotels had ended, security experts, law enforcement and hoteliers worldwide knew that they were facing a new reality.

The threat of terrorism at luxury hotels has long been recognized: In 2001, the U.S. Department of Homeland Security identified hotels as soft targets, and since then fatal attacks have occurred at a dozen properties around the globe. To be sure, the two other incidents in 2008 � at the Marriott Hotel in Islamabad and the Serena in Kabul � were in high-threat countries not frequented by tourists.

But several earlier attacks took place in destinations popular with both business and leisure travelers: Netanya, Israel (2002); Jakarta (2003); and Sharm-el-Sheikh, Egypt, and Amman, Jordan (2005). Yet the Mumbai violence, in which 171 perished, sounded the loudest alarm, say hotel security professionals.

"We've been monitoring attacks on our industry [in the Middle East and Asia]," says Jimmy Chin, chairman of the security committee for the Hotel Association of New York City. "These had high death tolls. The [terrorists] are honing their skills."

Chin, who is also the executive director of risk management for the New York Palace Hotel, says the Mumbai violence struck close to home. "Mumbai is a financial capital; New York is a financial capital. Mumbai has a high population; New York has a high population. Mumbai has luxury hotels; New York has luxury hotels."

Although no U.S. hotels have been attacked to date, industry insiders are increasingly concerned about their vulnerability. "Major European capitals and American cities are a couple of places we're worried about," says Robert Grenier, a 27-year veteran of the CIA who is chairman of global security consulting at the corporate security firm Kroll. "Mumbai is going to force five-star hotels in high-threat capitals to focus on security � at least in the short term."

The challenges of hotel security
As quasi-public spaces where people come and go freely, hotels by their nature are difficult to fully secure. "They are not nuclear power plants, prisons, or airports," says Thom Davis, president of the security company Hospitality Risk Controls, who is also on the Department of Homeland Security's lodgings committee. "They have some obligation to provide reasonable security measures, but there is only so much they can do."

In fact, hotel safety and security efforts can vary wildly, even within one brand. And hotels are not subject to international � or in this country, federal � safety standards beyond basic fire and municipal codes. Matters of hiring security guards and training staff are mostly left up to hotel management. Experts say it's impossible to institute a national standard. "What applies in Manhattan may not apply at a hotel in Dublin, Ohio," says Davis.

A 2002 study of American hotels by Cornell University's School of Hotel Administration found that "over one-third of general managers surveyed had done nothing to alter their security procedures," and that the safest properties are those at airports, followed by luxury hotels, especially new and urban ones.

A follow-up study in 2008 concluded that little progress had been made. Many hotel security auditors say that name-brand luxury properties in major cities tend to be the most focused on guest safety. But according to Grenier, "You might be better off staying in a boutique hotel" � an unlikely target for a terrorist attack.

In the 1990s, the U.S. hotel industry did effectively address the problem of crime and theft by making electronic key cards standard and installing back-of-house surveillance cameras and in-room safes. Hotel auditors expect a similar industrywide effort to focus on protection against terrorism.

But that doesn't solve the problem of porous security abroad, particularly in places where counter-intelligence is weak and local law enforcement cannot be counted on in the case of a heightened threat. The Indian press reported that two months before the Mumbai attacks, local police gave the Taj hotel a list of 22 needed security improvements, including placing a grill gate over the back entrance where the attackers gained access.

The hotel reportedly relaxed security just before the bombings. A spokesperson for the Taj wouldn't comment on the company's security procedures, but in a televised interview Ratan Tata, the chairman of the Taj hotel group, blamed poor intelligence and ill-equipped law enforcement for the fatalities.

Many large chains hire security consultants such as Hospitality Risk Controls, Kroll, and the Annapolis-based global security firm iJet Intelligent Risk Systems to audit their hotels to detect security lapses. iJet also provides clients, typically Fortune 500 companies and high-net-worth individuals, with detailed country profiles and daily travel alerts reported by staff around the world, many of whom are retired intelligence and military officers. The company audits about 500 hotels annually, and those that pass its rigorous safety checks and covert inspections land in a database available to subscribers (subscriptions start at $5,000 a year).

"There's such a range of players out there," says iJet president Bruce McIndoe. "Some recognizable brands don't know how to spell the word security. They don't even have anyone in charge of it. Other have sophisticated global operations," he says. "Hotels need to do better. The industry doesn't have standards, and the brands don't have control."

What hotels are doing now
The week after the Mumbai bombings, police departments in several U.S. cities � including New York, Chicago, and Miami � met with hoteliers to urge them to step up employee training and monitoring, background checks, and lobby security. (Some Manhattan hotels have had 24/7 plainclothes security in their lobbies since 9/11.) Any increase in such safeguards will be a deterrent to would-be attackers, says Grenier. "If they see an obvious upgrade in security, they'll find other targets."

Cement blockades at the checkpoint of the Islamabad Marriott reportedly saved hundreds of lives when the hotel was attacked last year, and the Sheraton Karachi, where 13 people were killed in a 2002 suicide bombing, recently touted its "security enhancements." The days of keeping mum on security so as not to frighten guests may be over as safety measures actually become a marketing tool � particularly in a competitive economy.

The Starwood chain, for one, works with two security firms. "Several years ago, we overhauled our existing emergency and crisis procedures to address terrorism-related events as well as traditional crises," says Starwood spokesperson K. C. Kavanaugh. Access to its Mumbai properties is now restricted to guests.

Wake-up call: Lessons learned from Mumbai