A 2002 study of American hotels by Cornell University's School of Hotel Administration found that "over one-third of general managers surveyed had done nothing to alter their security procedures," and that the safest properties are those at airports, followed by luxury hotels, especially new and urban ones. A follow-up study in 2008 concluded that little progress had been made. Many hotel security auditors say that name-brand luxury properties in major cities tend to be the most focused on guest safety. But according to Grenier, "You might be better off staying in a boutique hotel"—an unlikely target for a terrorist attack. In the 1990s, the U.S. hotel industry did effectively address the problem of crime and theft by making electronic key cards standard and installing back-of-house surveillance cameras and in-room safes. Hotel auditors expect a similar industrywide effort to focus on protection against terrorism.

But that doesn't solve the problem of porous security abroad, particularly in places where counter- intelligence is weak and local law enforcement cannot be counted on in the case of a heightened threat. The Indian press reported that two months before the Mumbai attacks, local police gave the Taj hotel a list of 22 needed security improvements, including placing a grill gate over the back entrance where the attackers gained access. The hotel reportedly relaxed security just before the bombings. A spokesperson for the Taj wouldn't comment on the company's security procedures, but in a televised interview Ratan Tata, the chairman of the Taj hotel group, blamed poor intelligence and ill-equipped law enforcement for the fatalities.

Many large chains hire security consultants such as Hospitality Risk Controls, Kroll, and the Annapolis-based global security firm iJet Intelligent Risk Systems to audit their hotels to detect security lapses. iJet also provides clients, typically Fortune 500 companies and high-net-worth individuals, with detailed country profiles and daily travel alerts reported by staff around the world, many of whom are retired intelligence and military officers. The company audits about 500 hotels annually, and those that pass its rigorous safety checks and covert inspections land in a database available to subscribers (subscriptions start at $5,000 a year).

"There's such a range of players out there," says iJet president Bruce McIndoe. "Some recognizable brands don't know how to spell the word security. They don't even have anyone in charge of it. Other have sophisticated global operations," he says. "Hotels need to do better. The industry doesn't have standards, and the brands don't have control."

What Hotels Are Doing Now
The week after the Mumbai bombings, police departments in several U.S. cities—including New York, Chicago, and Miami—met with hoteliers to urge them to step up employee training and monitoring, background checks, and lobby security. (Some Manhattan hotels have had 24/7 plainclothes security in their lobbies since 9/11.) Any increase in such safeguards will be a deterrent to would-be attackers, says Grenier. "If they see an obvious upgrade in security, they'll find other targets." Cement blockades at the checkpoint of the Islamabad Marriott reportedly saved hundreds of lives when the hotel was attacked last year, and the Sheraton Karachi, where 13 people were killed in a 2002 suicide bombing, recently touted its "security enhancements." The days of keeping mum on security so as not to frighten guests may be over as safety measures actually become a marketing tool—particularly in a competitive economy.