The November 2008 Mumbai attacks could bring changes to international hotel security just as sweeping as those September 11 brought to aviation. By the time the 60-hour rampage that targeted three of the city's top hotels had ended, security experts, law enforcement, and hoteliers worldwide knew that they were facing a new reality.

The threat of terrorism at luxury hotels has long been recognized: In 2001, the U.S. Department of Homeland Security identified hotels as soft targets, and since then fatal attacks have occurred at a dozen properties around the globe.

To be sure, the two other incidents in 2008—at the Marriott Hotel in Islamabad and the Serena in Kabul—were in high-threat countries. But several earlier attacks took place in destinations popular with both business and leisure travelers: Netanya, Israel (2002); Jakarta (2003); and Sharm-el-Sheikh, Egypt, and Amman, Jordan (2005).

Yet the Mumbai violence, in which 171 perished, sounded the loudest alarm, say hotel security professionals.

"We've been monitoring attacks on our industry [in the Middle East and Asia]," says Jimmy Chin, chairman of the security committee for the Hotel Association of New York City. "These had high death tolls. The [terrorists] are honing their skills."

Chin, who is also the executive director of risk management for the New York Palace Hotel, says the Mumbai violence struck close to home.

"Mumbai is a financial capital; New York is a financial capital," Chin says. "Mumbai has a high population; New York has a high population. Mumbai has luxury hotels; New York has luxury hotels."

Although no U.S. hotels have been attacked to date, industry insiders are increasingly concerned about their vulnerability.

"Major European capitals and American cities are a couple of places we're worried about," says Robert Grenier, a 27-year veteran of the CIA who is chairman of global security consulting at the corporate security firm Kroll. "Mumbai is going to force five-star hotels in high-threat capitals to focus on security—at least in the short term."

The Challenges of Hotel Security

As quasi-public spaces where people come and go freely, hotels by their nature are difficult to fully secure.

"They are not nuclear power plants, prisons, or airports," says Thom Davis, president of the security company Hospitality Risk Controls, who is also on the Department of Homeland Security's lodgings committee. "They have some obligation to provide reasonable security measures, but there is only so much they can do."

In fact, hotel safety and security efforts can vary wildly, even within one brand. And hotels are not subject to international—or in this country, federal—safety standards beyond basic fire and municipal codes. Matters of hiring security guards and training staff are mostly left up to hotel management.

Experts say it's impossible to institute a national standard. "What applies in Manhattan may not apply at a hotel in Dublin, Ohio," says Davis.

A 2002 study of American hotels by Cornell University's School of Hotel Administration found that "over one-third of general managers surveyed had done nothing to alter their security procedures," and that the safest properties are those at airports, followed by luxury hotels, especially new and urban ones.

A follow-up study in 2008 concluded that little progress had been made. Many hotel security auditors say that name-brand luxury properties in major cities tend to be the most focused on guest safety. But according to Grenier, "You might be better off staying in a boutique hotel"—an unlikely target for a terrorist attack.

In the 1990s, the U.S. hotel industry did effectively address the problem of crime and theft by making electronic key cards standard and installing back-of-house surveillance cameras and in-room safes. Hotel auditors expect a similar industrywide effort to focus on protection against terrorism.