Keeping up with the security checklist

If you try to put together a checklist of all the up-to-date security practices a hotel should have a handle on, it quickly becomes evident that this is a much-overlooked arena, despite a need to make it an essential business practice. True, some security is a second-nature part of the day to day, like keeping an eye on the roving CCTV cameras, but what about the ones that have no screen to keep you on track or which don’t have a financial incentive in the way that CCTV provides security for stock or cash? Building security, guest security, staff security, data security, cyber security; the list is somewhat endless. It covers the physical space, the operations, the guest experience and the staff welfare, not to mention the more recent and pressing issue of the ‘virtual’ cyber space too. Then of course, safeguarding and security is also impacted by demographic; children and young people need different safeguards to adults, and how for example do you appropriately differentiate policy for individuals with disabilities or the lone female traveller? So what should you be considering for improvement? Aside from the obvious like CCTV and security teams, who discourage bad behaviours, good cyber policies and data protection, there are lots of things hotels can do to improve the feeling of safety and security. In the last few years, we’ve had numerous incidents raised with us that make us question the security policies of hotels across the board; for example being able to leave luggage with the concierge or left luggage room, without checking ID or room number, and having a few well-lit ‘safe’ car parking spaces, leaving the rest in semi-darkness. These among others had us concerned and so we wanted to see how prevalent lapses of security are, and of course quantify the results. Cue a mystery shopping project to test security. About 18 months ago, a team of Quality in Tourism assessors ran a mystery shopping project in the centre of London looking at security in Hotels. Initially, we focussed on the big-name outlets, famous around the world, and found, unsurprisingly, that there were very few if any lapses in their front-of-house security, mostly driven by the fact that they are so focussed on customer service. All of the ones investigated initially were high profile brands, and all had excellent security processes with great management buy-in, probably because they attract so much media attention and attract a discerning clientele with high expectations. The only lapses we found at all came in relation to high-profile events, where we were able to walk into conference and meeting rooms with very few checks, simply thanks to a smile, a confident step and some vague knowledge of the event. Next, we focussed on 4 star/group type hotels, and visited 20 properties. The brief was to see how much access the assessor could gain without breaking the law, and how often and when they were approached or challenged. They were also primed with details of a fictional event at the hotel to talk about, should they be stopped or questioned. It was, quite frankly, very easy to walk into a property unchallenged; in fact of the 20 properties we visited, at 100% my team went unchallenged when entering the lobby, and they also went unchallenged 40% of the time when entering through the M&E entrance. At best this is a significant customer service lapse – why weren’t they greeted and offered help – and at worst this is a significant security lapse as the teams had no idea who or how many people are in the property at any one time. What’s worse, the trend did not diminish over time, and there was little correlation between time spent in the venue and number of approaches. In one property, an assessor sat in the meetings and events lounge for 50 minutes without being approached, before she decided to move on. Having delved further into the question of security and reviewed our assessor experiences at the hotel, the internal risks cannot be understated either. Open, non-password WiFi carries risk to the guess and the hotel, leaving the entire network open to ransomware, malware and viruses, while poor quality storage practices for card details leave room for fraud and credit card misuse. Data security was mixed, as were computer practices with even the basics like antivirus and security patches. All pose a major threat to hotels and businesses, and yet there was often a quite laissez-faire attitude to the procedures. By far the biggest threat could be our people, in these days of difficult recruitment how can we ensure we have honest and engaged staff that can still be enabled and trusted? With access day in day out, to cash, personal belongings, data and credit card information, never mind the potential to steal from the business. An amazing residential sports venue I recently visited has a new “cashless” policy, it makes sense from the point of view of a golfer or swimmer using cards or room keys for all payments, practically, easier to cash up / reconcile, less temptation for team members, and as long as you have robust approaches to cyber-crime, why not? However, we are still as an industry not embracing some of the simplest of obligations and legislation and instructing our teams properly or adapting our processes accordingly. Recently on booking a meeting room, I was asked by the team at the property to complete a form with my credit card details, address and signature on it. When I replied that I wouldn’t and they needed to be PCI compliant, I was told it was “their policy”. They were a franchise of a huge international brand, and when escalating my complaint to their parent company was told exactly the same thing – that it was their policy. That’s not legislatively compliant on a credit card front, so then what hope if there for GDPR of my data? Adaptations to the individual Speaking from personal experience, I am that lone female traveller every single week for an average of three nights away from home. In that time, my experience has ranged from hotels with no policy, through to hotels with ill-thought-out and downright patronising policies, through to one or two shining examples hidden away here and there. Aside from whether the safeguards are appropriate and extensive, there are two major issues that I encounter; the first confuses gender with common sense, incorporating ‘safeguards’ for women travelling alone, which should just be standard practice for all guests; and the second is that the policies work ‘on request’ and not as standard. In my opinion, it is a hotel’s responsibility to instigate their policy at all times, and the art form is in instigating that policy without me, as the guest, being consciously aware. Quality in Tourism assess hundreds of accommodation providers globally. To find out more about their assessments, gradings and mystery shopping services, visit www.qualityintourism.com.