by Jim Sharp
Earlier this year, just to get away for a quick break, I decided to spend a weekend at a high-end resort in the Missouri Ozarks. It’s the off-season for the resorts there, so the price was right, and my workload - for once – allowed it.
Driving in through the main entrance I drove right past the security gate. No one stopped me because there was no one there. It was shuttered, empty and unmanned. Continuing past several resort buildings (any one of which I could have stopped at) I finally arrived at the main lobby and went in to register. Imagine my surprise when the young lady at the front desk asked me for my method of payment, but not my identification. When I asked if she needed my vehicle information, her reply was, “No, that’s not necessary. It’s the off-season, so parking won’t be a problem.
The resort is built on a hillside, with the main building attached more or less vertically to the hill. This placed the parking garage underneath part of the building, and immediately adjacent to the rest. As I had been able to do at the main gate, I drove right into the garage. There was no security checkpoint or gate (manned or otherwise) – just an unrestricted entrance. The biggest surprise was yet to come. The doors leading from the parking garage directly into the elevator lobbies and corridors of the guest room wings were unsecured. Not just unlocked, but unsecured. No key or key card necessary. Just pull the handle and the door opens.
At this point I have driven onto the resort property, into the garage, and have entered the guest room area. Not once has anyone verified who I am (although I assume they believe they know, because the name on the credit card matches the name on the reservation). No attempt has been made to identify or account for my vehicle. No one has asked if I am alone or accompanied. In fact, had I been so inclined, I could have skipped the check-in part and simply driven onto the property, into the parking garage, and walked into the guest wings and no one would have been the wiser. The first actual, active “security” measure I encountered was when I had to use the key card to enter my room, and since they don’t really know who I am, sleeping behind a locked door makes me feel better but doesn’t do much for the rest of the resort or its guests. Normally I would have turned around, asked for a refund, and left – but this seemed like a pretty worthwhile research opportunity so I decided to stay.
Over the ensuing weekend I was able to come and go as I pleased – able to enter any building on the property (buildings designed for guests, buildings with multiple meeting rooms, etc.) with no key, key card, or reason why. Some doors which obviously should have been locked were actually propped open, apparently to shorten the walk for guests: why walk all the way around to the front of the building when you can just enter through the emergency exit, right? The only regular “security” I encountered was at the entrance to the pool, where they asked to see my wristband to make sure I had paid to be there.
Had I been a terrorist looking for his or her next target, I’d have had to look hard – really hard – to find a better one. Here I am, and they don’t really know who I am, or who might be with me, or what I’m driving. Oh, and have I mentioned that any and every first responder would have to drive down the same winding, narrow two-lane blacktop highway to get here, and that once on the property the roads only get more narrow and more winding?
Their “security” protocols seemed designed primarily to make sure that only paying guests were on the property or enjoying the amenities. That’s understandable. No one wants to pay a lot of money and feel as if they’re vacationing in a penal institution, and some potential guests may feel that a resort with lots of visible security measures must be under some type of threat and decide to stay elsewhere. Yet just because that attitude is understandable doesn’t mean it’s defensible. High-end hotels and resorts are steadily moving toward the top of the list of potential targets for terrorist groups and lone bad actors. Why? They represent plenty of potential victims, with their guard down, grouped together, in a relatively small area with which they are unfamiliar and which often has restricted means of ingress or egress. And you don’t have to look very hard for examples:
• In June of 2015 a lone terrorist, concealing what was described as an AK-47 rifle within an umbrella, killed 38 people and wounded at least 39 others at a beach resort in Sousse, Tunisia. The attacker started by shooting people who were on the beach, then moved on to the resort’s outdoor pool and finally the hotel lobby before being engaged and killed by security forces.
• The November, 2015 attack by armed terrorists against guests of the Radisson Blue Hotel in Bamako, Mali resulted in the deaths of 20 people. This was the third terror attack directed against public venues in Mali in 2015; an attack on a crowded bar in March killed five people, and 13 others were killed in a hotel siege in August.
• Two knife-wielding terrorists slashed and stabbed patrons of a hotel’s outdoor restaurant in Hurghada, Egypt, in January of 2016. Three people were wounded before police and security forces killed the attackers.
Also in January of 2016, 29 people were killed and more than 50 wounded in a terror attack directed against the Splendid Hotel in the city of Ouagadougou, Burkina Faso (a former French colony in West Africa). Investigations have revealed that at least some of the terrorists actually entered the hotel hours before the attack and mingled with guests in the public use areas. When the other members of the group began their attack by shooting people in the café across the street, the terrorists already inside the hotel attacked as well, putting potential victims in an almost no-win situation with terrorists both inside and outside their hotel.
To those who might be reading this and saying, “Well, that all happened overseas. Nothing like that would ever happen here.” did you also think that something like Boston, or Chattanooga, or San Bernardino, or Orlando would never happen here? In another recent terrorist attack on American soil – February 11th, 2016 - an Islamist radical walked into a neighborhood restaurant in Columbus, OH and attacked patrons with a machete. Sounds strikingly similar to the Hurghada attack, but nothing like that could ever happen here, right? Four people were wounded, and (after being pulled over fleeing the scene) the attacker was shot and killed by responding police when he lunged at them with a knife in one hand and machete in the other.
The Paris terror attacks targeted bars, restaurants, a sports venue and a concert. The terror attack in San Bernardino targeted a group of people at a company gathering. The bombers in Boston targeted people on the streets and the terrorist in Philadelphia ambushed a police officer driving his patrol car. The Chattanooga attack was directed against what could technically be described as a military “installation,” but that installation was a store-front recruiting office and the attack strikingly similar to the 2009 attack on the recruiting offices in Little Rock, Arkansas.
If you operate a high-end resort or hotel, you need to make sure your security protocols and emergency procedures are just as top-shelf as your amenities; your guests are paying for those, too. We know terrorists are continually developing new tactics and strategies, and we know that they test those tactics to see what actually works. When something works, we know they export it to other theaters of operation. We should be preparing for this scenario now.
Jim Sharp, Vice President and Chief Training Officer with Aegis Emergency Management, is a 30-year veteran of the emergency response and emergency management professions and a highly-sought trainer and presenter. An experienced Incident Commander and Emergency Operations Center Manager, Jim is a certified Professional Continuity Practitioner and Respiratory Protection Program Manager for incidents involving weapons of mass destruction. Prior to starting his own firm in 2010, he spent the immediately previous 10 years with an Illinois jurisdiction working his way through the ranks (from officer through corporal, sergeant, and lieutenant) and holding positions as their Emergency Management Agency's Field Training Officer, Public Information Officer, and Assistant Coordinator (equivalent to Deputy Chief). Jim has trained literally thousands of people – civilians and first responders - on topics that include severe weather safety, continuity of operations, CERT, pandemic preparedness, incident command, the National Incident Management System, and many more.