On November 26, 2008, terrorists launched a series of coordinated attacks in Mumbai, India. Among the targets were two high-profile hotels: the Taj Mahal Palace and Tower and the Oberoi Trident complex, which is part of The Oberoi Group. Reports indicated that more than 50 people were either trapped in or directly held hostage at the Taj Mahal and about 40 were at the Oberoi. Ultimately, at all of the targets combined, about 300 people were wounded and an estimated 170 died.

The terrorists, whom the Indian government has since said were linked to Lashkar-e-Tayyaba, a jihadist organization that aims to create an Islamic South Asian state, reportedly took cocaine, LSD, and steroids to sustain themselves over the multiple-day siege. They had cell phones and other technology to help them navigate and communicate. They had also clearly surveilled the properties ahead of time.

In addition to the official responders—local police plus national commando and other law enforcement forces—there were heroes at both hotels who risked their lives to help guests and staff members evacuate and find safety. However, there were also major problems. “What you saw in Mumbai was that the reaction plan, if you will, the crisis management plan, was not so fine tuned. I mean, I don’t think hotel staff knew exactly how to react,” says Todd Brown, executive director of the U.S. State Department’s Overseas Security Advisory Council (OSAC).

OSAC has set up a hotel sector group to exchange information from attacks and develop best practices for improving hotel security and crisis planning. The following lessons learned relate to Mumbai and earlier attacks and are drawn from OSAC and other hotel industry experts and resources.

Detect Surveillance

The terrorists apparently built their wealth of knowledge of the hotel floor plans and security setups from pre-operational surveillance and open-source data, such as the use of commercial imagery providers, according to congressional testimony by Charles E. Allen, undersecretary for intelligence and analysis at the U.S. Department of Homeland Security.

To deter and detect this type of attack planning, hotels must be on the lookout for anyone surveilling their properties. The entire staff has a role to play in the surveillance-awareness program. For example, housekeeping staff should be trained to notice anything out of the ordinary in guest rooms, such as the presence of weapons or drugs.

“You just can’t depend on the security personnel, because they’re limited in number,” says Elinor Garely, a travel writer and business management professor at the City University of New York.

“So every person has to be trained to have the watchful eye, to know what to look for in guests. And the people that are not guests,” she says.

Brown agrees. “You have to have training throughout the entire staff of the hotel. They have to challenge people. And they can do that in a nice way. But they should be asking for room keys for where you are staying, all those types of things. And I think in the past, many were sort of lax in doing that. That is changing.”

There are various types of behavior that hotel staff and security officers must be trained to look for. These range from spotting people who are obviously out of place, such as an individual wearing a long or heavy coat in hot weather, to the less conspicuous, such as when a person is taking unusual pictures of hotel exits or security cameras.

Staffers should “be trained in spotting individuals who may raise flags in terms of doing advanced recon,” says Magnus  Ranstorp, terrorism expert with the Swedish National Defense College. He suggests that someone be posted in the lobby to observe individuals and decipher whether they look suspicious. He acknowledges, however, that this surveillance can take a lot of staff time.

Many hotels are addressing this issue cost effectively by positioning in the lobby a greeter who makes eye contact with people entering the hotel and asks them where they are headed. “That person has a chance to eyeball that individual,” says Garely. If suspicions are raised, depending on the level of concern, the greeter can have the person escorted so that he or she is not roaming freely, or the greeter can discreetly call security.

Since 9-11, many Las Vegas hotels have stepped up their visible exterior checkpoints and controls. Vehicles are often stopped and the driver is questioned before they are permitted into the parking garages, says Steven T. Baker, CPP, PCI, PSP, a security consultant at VTI Associates. This approach of asking where people are headed and perhaps even pointing out more convenient routes or garages can be thought of as customer service as well as security, says Baker.

“That’s giving them time to look at the people, see who they are, check their mannerisms,” he says, adding that the casual questioning has been useful in decreasing normative crime, such as car thefts, because it encourages thieves to look elsewhere where they will not be questioned.

Additionally, reception desk workers should have an eye out for suspicious behavior from guests checking in. The hope is that this vigilance will thwart attempts at surveillance and deter attackers, who will prefer a softer target where they can anonymously assess the site.

Hotels must also ensure that employee exits and other less visible entryways are access controlled and patrolled to discourage anyone from trying to conduct reconnaissance in those areas. In this regard, randomness is important. Security patrols and functions of other hotel staff must not be predictable, because this allows attackers to study and counter them more easily. A lack of variability was an issue in Mumbai, where the attackers were able to ascertain security routines of hotel personnel, according to Allen’s testimony.

Make Security Visible

Hotels often try to maintain a low-profile security presence to avoid making guests feel uncomfortable. But in certain locations, as with the greeters at the lobby entrance or garage, visible security can thwart crime and provide a sense of safety for guests.

“I always use a dual approach,” says Duane Firmani, security manager of hotel group Sun International in South Africa, who employs both visible and undercover security. “I believe in high visibility at the boundaries and first points of contact,” he says, referring to it as a “tough outer shell protecting the sweet spot.”

But invisibility has its place as well. Firmani uses covert security to determine whether anyone is conducting surveillance by watching the uniformed security guards. The covert personnel also help with quality control of the security service and overall hotel operation.

Gather Intelligence

Preventing terrorists from gathering intelligence about the hotel site is only half of the intelligence equation; the other half is making sure that the hotel collects and receives the best intelligence possible about the terrorist threat. But it’s equally important to correctly respond to that intelligence once the information about possible threats is collected.

According to Allen’s testimony, intelligence gathered after a February 2008 arrest of a terrorist suspect in India suggested that the Taj Mahal hotel was the target of surveillance. The hotel was notified about the threat, and management increased security, only to decrease it again to routine levels by the time the attacks occurred, stated Allen.

That chain of events illustrates the importance of taking a longer term view toward threat. It is important to remember that terrorists themselves take the long view, planning months and years in advance and biding their time until the moment seems right. A similar situation occurred in the United States, where in July 2001 terrorist chatter led to a heightened sense of threat in the intelligence community but that level of concern had dissipated by September 11.

The Mumbai incident also illustrates the importance of having a good relationship with intelligence services. Fenton says that hotel security must be proactive on this front.

One example of a hotel operation that takes a proactive approach to intelligence is Marriott International Lodging. For example, Marriott was warned by Indian intelligence services in late September about a possible threat, according to congressional testimony from Alan Orlob, Marriott’s vice president of corporate security and loss prevention. The company acted on the intelligence by sending a regional security director to Mumbai to make an independent risk assessment. That assessment showed that the threat situation in India had escalated.

Harden Defenses

Based on that assessment, Marriott raised security to the highest level, which meant screening vehicles, inspecting luggage, and having everyone pass through metal detectors. It is possible that these measures led potential terrorists to choose a softer target.

“The tactics used against the hotels in Mumbai were not new,” Orlob told Congress. He noted that 16 years ago, Marriott began to address the threat of attacks worldwide by forming a crisis management program that includes training exercises and constant risk monitoring.

Marriott has added physical security, such as window film, bollards, and even explosive vapor detectors to properties in high-risk locations. While those measures protect mainly against explosions, in the wake of Mumbai, Orlob said, the organization has also developed an active shooter program. The company uses a color-coded threat program that allows it to ramp up security as concerns mount.

Some of the physical security enhancements, as well as the idea of setbacks (wider perimeters), are lessons from earlier car bomb incidents, such as the August 2003 attack on the JW Marriott Hotel in Jakarta, Indonesia.

As newer hotels in high-risk areas are being designed with more of an eye towards security, “many of the large hotel developers are going to the same kind of thing you see for U.S. embassies; that is, relatively remote sites with substantial standoff distances from public roads and heavily reinforced perimeter barriers,” says Thomas Vonier, FAIA, RIBA, Paris-based architect.

The farther away vehicles are kept from hotels, the less the chance for damage from a blast. However, Vonier points out that long setbacks can make deliveries more cumbersome and raise the specter of perimeter breaches. Additionally, parking becomes less convenient when any type of parking facility is located off-site.

Not every hotel has enough room for a long setback, but there are also barriers such as bollards and planters that can be placed around the hotel to ensure that no vehicle is driven into the building and to minimize damage from a blast. Such tools can only do so much if a bomb is detonated, however.

A more extreme barrier can be seen at the reopened Islamabad Marriott, which now employs what has been referred to as a “bombproof” wall; it surrounds the hotel like a fortress. Chad Callaghan, CPP, vice president of enterprise loss prevention at Marriott International, Inc., which has 3,000 hotels in 70 countries (although it does not own the franchised Islamabad hotel, which is actually a member of the Hashoo Group) says that it is not an attractive addition and would not be welcomed in most places. However, since that hotel has been the site of multiple terror attacks, property owners were forced to take extreme measures.

If there is a garage on-site or if vehicles are coming into hotel grounds, Callaghan advocates having an access control program in place, as well as visually inspecting the vehicles for explosives before allowing entrance. 

Car inspections may be essential in high-risk areas where the parking is underneath or close to the hotel. For hotels in less volatile environments, there are still mild inspections that can be done.

Building design can go a long way to limiting blast damage. Reinforced columns and blast-resistant windows are infrastructure choices that can help protect those inside a building if a bomb does indeed go off. Blast-mitigation on windows can prevent shards from hurting people, a top cause of injury in explosions. However, most hotels have already been built without these specifications and retrofitting is expensive. Still, says Callaghan, his company is retrofitting hotels where such action is deemed necessary, based on risk.

Liaise with Responders

Another lesson from Mumbai is the importance of making sure that local first responders know your facility. The Mumbai terrorists, who had done their homework and were aided by GPS, had a much better working knowledge of the hotels than did the responding commando teams. This should not have been the case, and there are steps hotels can take to ensure that this doesn’t happen.

Hotels must reach out to responders to ensure that they have up-to-date floor plans and information about the properties they will respond to. Hotels in the United States address the issue by ensuring that there are up-to-date copies of floor plans and other important hotel information at an accessible location off-site.

Some states mandate that this be done. For example, Nevada state law requires that various hotels provide the state repository with a copy of their floor plans and operation and response plans in a state repository, according to Baker. Hotels in high-risk locations must be proactive about this.

In response to the lessons learned from the Mumbai attacks, the New York Police Department has been touring various hotels and videotaping entrances, lobbies, and certain rooms, to use as training tools, according to congressional testimony by Commissioner Raymond Kelly. It behooves other high-threat hotels to invite their local police in to do the same thing or to do it for them. This information should be kept on file in a safe location.

Hotels should also explore opportunities for other productive partnerships with law enforcement agencies. Firmani’s group has a public-private partnership with police. This partnership facilitated the establishment of a surveillance network in and around his company’s principal property.  Partnering with law enforcement can also help cement relationships that could be helpful if an attack or other emergency occurs.

Adapt to Circumstances

There was confusion when the terrorists first entered hotels with regard to whether to tell Mumbai’s guests to evacuate or shelter in place. Apparently hotel staff told guests to stay in their rooms when they might have been better off exiting the building if they could have found a safe way out. That’s a tough call, but the main issue is for hotels to have a set of plans that can be adapted to various threat situations and to have someone in charge ready to make those tough decisions based on the best available intelligence at the time.

Train Regularly 

A crisis management plan is only useful if staff know how to carry it out. That means the entire work force must be well versed in its details and their responsibilities. Training can include anything from tabletop exercises to actually evacuating staff to ensure that they’re familiar with fire doors and routes they would take in an emergency.

When a drill or exercise is completed, management should speak with employees about how the training went. Those discussions will help the hotel assess what needs improvement.

Drills and training exercises should be conducted on a regular basis. Disaster response and recovery plans should be tested quarterly and supplemented with tabletop exercises, recommends Philip Farina, CPP, CLSD of Farina Associates, Ltd. But he acknowledges that it’s rare to find hotels doing such drills more than once a year.

Baker says that the hotel security industry doesn’t have the training infrastructure it needs. He says the training compares unfavorably with that of, say, law enforcement officers.

“We’ll do a three-or-four-hour training program and think that it’s…done. And it’s really just the start of that,” Baker says.

Garely agrees. Although most hotels do run training programs, she notes, “You can’t learn enough or become vigilant enough in an hour or two, or even a week or two, of training. It has to be an ongoing ever-present reality in your job.”

The training needs to be more than just one-time lectures and must be followed up and evaluated to ensure that goals are being met, says Baker. One way to improve training is to cut programs into shorter snippets and have supervisors reviewing those points during preshift times or during slow times, he suggests.

Terrorism expert Brian Jenkins said in testimony on the Mumbai incident that attacks on flagship hotels are increasing in number and that the success of Mumbai is likely to invite others to try similar operations. He warned, however, that terrorists frequently change tactics. Therefore, security professionals must learn from Mumbai but be quick to adapt as terrorists alter their mode of attack.

What is unlikely to change is the attractiveness of hotels as targets. “Terrorists will continue to focus on soft targets that offer high body counts and that have iconic value,” said Jenkins.

While no one can remove the threat, the hotel industry can take reasonable steps to minimize the risk.