Professional Documents
Culture Documents
Sgsecure Hotel Guide
Sgsecure Hotel Guide
@Workplaces
Guide for Hotels
R E C E P T I O N
A Collective Partnership
Introduction
Today, terrorism poses a real and rising threat to our way of life. A single attack at
a hotel, tourist attraction or busy public location has the potential to cause great
devastation, not just to individual lives and businesses, but also to our long-term
stability and prosperity.
• How big a risk does your hotel face from terror attacks?
• What actions can you take today to protect property, data and lives?
• What should be the course of action to take when a crisis strikes?
• How can you create a business continuity plan to respond to and recover
from an attack?
We have also included training tools and resources to help you equip your
colleagues and stakeholders. You may wish to refer to the online version of this
guide at www.mom.gov.sg/sgsecure for latest updates that may have taken
place after this publication went to print.
1 SGSecure
& You
Terror and Cyber Threats
to the Hotel Industry
4
Regardless of ideology or method, all terror attacks share the same goal of drawing
attention to their cause. Many terrorist groups now have an online presence,
connecting supporters and coordinating large-scale attacks on hotels, malls, and
other similar locations.
Cyber attacks have also been on the rise, and are concerning as they can disrupt
business operations. In 2018 alone, such incidents – which primarily took the
form of email scams and data breaches – cost businesses in Singapore millions
of dollars.
Hotels can be attractive targets for cyber criminals as well, given the large volume of
ȴQDQFLDOWUDQVDFWLRQVDQGJXHVWGDWDFROOHFWHGΖQDQLQWHUQDWLRQDOKRWHOJURXS
revealed that hackers had gained unauthorised access to millions of guest records
worldwide in a breach of its reservations database. Cyber attacks can also severely
impact hotel operations. In 2017, a ransomware attack disabled the electronic lock
system in a family-run Austrian hotel and prevented the issuance of new key cards.
Review all the proposed guidelines, and implement or adapt them according
to your needs
Use the training tools and digital resources to update your employees’
knowledge and upgrade their skills
6
Cyber Attacks
Regardless of whether hotels use their own in-house systems, or depend on third-
party software and cloud-based systems to conduct daily operations, they can still
EHVXVFHSWLEOHWRF\EHUWKUHDWV:KLOHWKHUHDUHPDQ\EHQHȴWVWRGLJLWDODGRSWLRQLW
also presents security challenges.
In the past 5 years alone, several well-known international hotel chains have been
targeted by attackers and hit through vulnerabilities in their Point of Sale (POS)
V\VWHPV %H\RQG ORVLQJ WKH WUXVW RI JXHVWV DQG KDYLQJ WKHLU UHSXWDWLRQV DHFWHG
WKH\DOVRIDFHGPLOOLRQVRIGROODUVLQȴQHV
3RVVLEOHHHFWVRIDF\EHUDWWDFNLQFOXGH
7KHIWRIGDWDPRQH\RUFRQȴGHQWLDOLQIRUPDWLRQ
2 Prevention
Before Crises Strike
$WHUURUDWWDFNFDQSURGXFHZLGHVSUHDGHHFWV1RWRQO\ZLOOLW
result in loss of lives, it can also disrupt hotel businesses, leading
to job losses and a negative impact on the economy.
Scan QR code
to register your
SGSecure rep
2.2 Preparing
Your Workforce
A prepared workforce consists of vigilant, alert and capable employees who can
act on signs of terrorism as soon as they appear. By establishing good practices
in hiring, training, and day-to-day operations, hotels can equip employees with the
tools and knowledge they need to identify and address possible threats.
Watch out for the symbols below to see how you can adapt a policy
WRVXLW\RXUKRWHO
6ROXWLRQVWKDWKRWHOVZLWKPRUHVL]HDEOHWHDPV
may consider
Senior Management
General Procedures
The hotel owner should be responsible for the Emergency
Response Plan (ERP)
The ERP should be updated and reviewed regularly,
and employees should be familiarised with its contents
Regular testing, table top and emergency exercise should
EHFRQGXFWHGWRYDOLGDWHLWVHHFWLYHQHVV
Security Personnel
Manpower Deployment
)RUJHQHUDOSUHSDUHGQHVVHQVXUHWKDWDVXɝFLHQWQXPEHURI
personnel are always on duty or on call
Ensure that personnel are familiar with the hotel’s security
and emergency plans
)RUPXODWHDVHDUFKSODQWRJXLGHVHDUFKHRUWVGXULQJDFULVLV
Appoint someone who is familiar with the hotel layout to be
in charge of the search team
Organise a Company Emergency Response Team (CERT)
ZKLFKZLOOEHWKHȴUVWOLQHRIUHVSRQVHLQWKHHYHQWRIDFULVLV
General Procedures
Establish standard operating procedures for various types of
terror and cyber attacks
Consider involving local authorities or external auditors when
conducting a drill or tabletop exercise so that gaps can be
addressed to strengthen your hotel’s security practices
Planning process:
Consult third-party professionals when evaluating the hotel
security plans
Stay updated on the national terrorism threat assesment
UHOHDVHGE\WKH0LQLVWU\RI+RPH$DLUVDQGWDLORUVHFXULW\
plans accordingly
Non-Security Operations
General Procedures
Brief employees on procedures to handle lost employee passes
and room keys
Learn to spot common tell-tale signs of terrorist activity
(see page 58)
Stay alert to suspicious items or behaviour when cleaning rooms
or working onsite
17
Hotel Administration
Tip
General Procedures
Hiring new employees:
Check and verify the details they provide on their CV
or resume
Incorporate physical security and cybersecurity training
into employee orientation or on-boarding programmes
18
ΖI \RXU KRWHO TXDOLȴHV DV DQ 60( \RX PD\ DOVR
be eligible for enhanced training subsidies for
SkillsFuture Singapore courses (see page 68)
Day-to-Day Operations
7KH HHFWLYHQHVV RI \RXU KRWHO VHFXULW\ UHVWV RQ WKH DELOLWLHV DZDUHQHVV DQG
knowledge of the people enforcing it. Constantly reminding employees of correct
procedures and staying alert to suspicious behaviour can go a long way in guarding
against terror or cyber attacks.
Security Personnel
Non-Security Operations
General Procedures
Put up relevant posters at areas where employees commonly
gather (e.g. employee cafeteria of rest areas)
Test employees regularly on possible signs of terrorism (see
page 58)
Conduct drills with Security Personnel on how to act in a crisis
Hotel Administration
General Procedures
Remind all employees, regardless of role, to immediately contact
emergency or key security personnel on spotting suspicious
items, activities or behaviour of guests, or weaknesses or lapses
in site security
Remind all employees to watch for signs of possible
radicalisation in colleagues and employees (see page 59)
Illustrated Summary:
Preparing Your Workforce
Non-Security Operations
• Regular checks on employees’
knowledge of crisis management
and emergency procedures can be
conducted with reference to ERP*
• Put up relevant posters at
employees’ common areas
• Learn to spot common tell-tale
signs of terrorist activity
• Stay alert to suspicious items or
behaviour when cleaning rooms
Security Personnel
• Ensure there are enough people on
duty or on call
• Have a location to securely detain and
question suspicious individuals
• Brief all third-parties on hotel evacuation
and crisis management plans
*
Emergency Response Plan
21
Senior Management
• Assign a person or team to plan
and organise security operations
• Regularly review and update ERP*
Hotel Administration
• Consider incorporating security training into the employee
orientation programme
• Ensure employee with access to sensitive data practise
good cyber hygiene and data protection habits
• Provide key employees with two-way communication devices
22
2.3 Protecting
Your Workplace
A terror attack at a poorly protected workplace could result in injuries and loss of
lives of employees. A cyber attack could result in sabotaged IT systems, disrupted
supply networks and business operations. Hotels can also incur costs from
UHEXLOGLQJLQVXUDQFHSD\RXWVORZHUHGSURȴWVWKHORVVRILQYHVWRUFRQȴGHQFH
and dropping employee morale.
Deter
Implement measures that make potential attackers see your
KRWHODVWRRGLɝFXOWULVN\RUGDQJHURXVWRVWULNH
Delay
Put physical and system barriers to slow the progress
of an attack on your hotel, allowing security and IT teams
to respond and mitigate harm.
Detect
Find and address signs of terrorism or cyber crime as early
as possible, lowering the harm or threat they pose.
Deny
Safeguard employees and guests by ensuring that only
authorised persons can access important information
or areas.
23
You may use the following guidelines to identify actions that suit your hotel’s security
needs and risk levels.
Senior Management
Manpower Deployment
Enrol employees in the Corporate First Responder (CFR)
Scheme, which gives them a Cordon Pass to enter restricted
VLWHV DQG DVVLVW ZLWK UHFRYHU\ HRUWV LI DQ DWWDFN RFFXUV
(see page 70)
Standby a pool of professional counsellors who can be
FRQWDFWHG WR SURYLGH SV\FKRORJLFDO ȴUVW DLG IRU JXHVWV
and employees
Safeguarding Your Business
Formulate business continuity plans on how your hotel would
recover from a terror or cyber attack
After any incidents, review the activity log to identify loopholes
and areas for improvement, and then revise your existing
plans accordingly
Register for the Workplace Safety and Health Council’s
bizSAFE programme to improve your hotel’s safety, health
and security capabilities
Security Personnel
General Procedures
Create and maintain an incident activity log, with an employee
assigned to update it as events occur
'HYHORS D SURFHGXUH WR FRQWURO KRZ RVLWH SHUVRQQHO PD\
gain access to restricted areas, both during regular operations
and during a crisis
Non-Security Operations
General Procedures
When handling lost room keys, verify the identity of any
individuals requesting new or extra keys
During peacetime, create open channels of communication
with hotel administration and senior management to ensure
everyone is updated promptly
During a crisis, help to ensure all guests are accounted
for and kept aware of any developments that may occur
25
Hotel Administration
General Procedures
When employees have resigned or are terminated,
review their access rights (e.g. employee passes, biometric
information, keys and passcodes) to prevent them from
obtaining sensitive information or entering secure areas
Create procedures to handle loss of any form of security pass
(including both physical keys and digital passwords)
Day-to-Day Operations
Ultimately, the people who work in your hotel are the ones who will ensure
it is safe and secure. It is important that every employee – from non-security
operations to senior management – keeps a look out for suspicious activities or
individuals on a daily basis. This is critical in detecting terrorist activity or signs of
cyber terrorism before it escalates to a crisis.
Security Personnel
Manpower Deployment
6WDWLRQ HPSOR\HHV RU VHFXULW\ RɝFHUV DW UHVWULFWHG DFFHVV
areas and ensure they are able to identify persons and vehicles
permitted to enter
If manpower constraints do not allow you to
VWDWLRQ VHFXULW\ RɝFHUV \RX FRXOG HQFRXUDJH DOO
employees to look out for unfamiliar persons or
utilise technology substitutes, such as CCTVs, to
monitor for intrusions and cover more ground
General Procedures
Look out for vehicles parked for a prolonged period of time,
and question vehicle owners about their presence
Enforce strict access control measures by only allowing those
with employee badges and passes or authorisation letters
(for third parties) to enter restricted or employee-only areas
Conduct regular, but unannounced patrols and inspections at
vulnerable areas, or engage a vulnerability or penetration
testing service
27
Non-Security Operations
General Procedures
Stay alert to possible signs of terrorist activities when
performing tasks like accepting deliveries, cleaning and
interacting closely with guests (see page 58)
Maintain records on holders of all keys, and restrict access
to master keys
&KHFN DQG FRQȴUP WKH LGHQWLW\ RI WKLUGSDUWLHV DQG JXHVWV
by ensuring the legitimacy of documents they provide,
particularly if they are requesting room keys or information
Log down and promptly report any suspicious incidents to
security personnel
Some types of people an attacker or criminal may
impersonate:
Hotel Administration
General Procedures
Adopt the measures from Cyber Security Agency of
Singapore (CSA)’s Be Safe Online Handbook (see page 66)
Know what your cyber assets are
Allow only authorised software to work
Patch and update software in a timely manner
Be selective when granting admin account privileges
Detect breaches promptly
Control access via multi-factor authentication
Encrypt your critical information assets
28
Senior Management
Security Personnel
Emergency Evacuations
Establish lockdown procedures in preparation for an
emergency lockdown
Display emergency exit maps and important contacts in all
guest rooms
Ensure that evacuation plans can accommodate guests or
employees with special needs
Ensure all public, communal, and external spaces are clean and
well lit, and keep the evacuation pathway clear of obstructions
Emergency Sites and Assembly Areas (AAs)
For non-terror incidents
Identify at least two alternative AAs
Display clear directions to these areas
During terror incidents
As AAs are vulnerable to secondary attacks, building occupants
should not assemble or be ushered to them
You may account for employee safety virtually via online
platforms or mobile messaging applications
The SGSecure Contingency Planning Checklist for Building
Owners contains additional resources such as guidelines to
prepare the lockdown decision matrix for your hotel’s
contingency plan, and help for building owners to plan for
contingencies such as terror attacks
Emergency Storage/Shelters
Allocate a readily accessible area for storage of emergency
equipment and supplies
Regularly inspect and replace faulty items, and ensure that the
area is well-protected
Designate shelter-in-place locations to protect guests and
employees from external attacks
Exterior Areas
Review security measures based on Guidelines for Enhancing
Building Security in Singapore (GEBSS) (see page 66)
Evaluate the ease of intrusion at the hotel perimeters and
install perimeter barriers if needed
Install barriers to keep vehicles a safe distance away from the
hotel entrance and gathering areas
Employ a speed control system to control approaching vehicles
at the hotel entrance and other vulnerable areas of the proper
'HȴQH WKH KRWHO SHULPHWHU DQG LGHQWLI\ DOO SRVVLEOH H[LWV
and entrances
Display signage to identify access points for guests, vehicles,
and pedestrians
(QVXUHWKDWXQXVHGDFFHVVSRLQWVDUHVHDOHGRRUORFNHGDQG
monitored for intrusion
30
Interior Areas
Install panic buttons at vulnerable areas in the hotel
(PSOR\DQWLVKDWWHUȴOPJOD]LQJSURWHFWLRQRUODPLQDWHGJODVV
WRPLQLPLVHLQMXULHVFDXVHGE\ȵ\LQJJODVVSLHFHV
Install a Public Address (PA) system to aid in the mass
dissemination of information and announcements during
an emergency
Adopt layered security by designing layered access points
to critical areas
Install access control devices at restricted areas, and maintain
records of all access
Use video surveillance where appropriate, and review footage
of suspicious activities
Systems to Install
InstDOO LQWUXVLRQ GHWHFWRUV PRWLRQ GHWHFWRUV ȴUH DQG VPRNH
alarms where appropriate
Have a procedure in place for reacting to triggered alarms
or detectors and exercise it regularly
Non-Security Operations
Interior Areas
Conduct regular checks on all locks and access control devices
to ensure they are functioning as expected
If non-electronic keys are used, the serial number should be
recorded in a log when guests check in or out of the hotel
In the event of missing keys, replace your locks promptly
10
31
32
Illustrated Summary:
Protecting Your Workplace
Security Personnel
• Ensure all employees are
familiar with ERPs* and
evacuation plans, and instruct
them to avoid Assembly Areas
during terror incidents Staff
• Establish lockdown procedures Only
and secure emergency storage
or shelters
• Create guidelines to act on
the presence of suspicious
vehicles, people or items
• Review security measures based
on Guidelines for Enhancing
Building Security in Singapore
(GEBSS) (see page 66)
Non-Security Operations
• Apply procedures to verify guests’
identities if keys are lost
• Stay alert to possible signs of terror
related activity
• During a crisis, help to ensure all guests
are accounted for and kept aware of
any developments that may occur
*
Emergency Response Plan
33
Senior Management
• Create business continuity and
communications plans for terror
and cyber attacks
• Regularly evaluate and upgrade security
measures in exterior and interior areas
• Enrol employees in Corporate First
Responder (CFR) Scheme
Hotel Administration
• Adopt the measures in
CSA’s Be Safe Online
Handbook
• Monitor employee access
rights and promptly remove
those of resigned or
terminated employees
• Work with Senior Management
to develop plans to stabilise
the situation in the immediate
aftermath of crises
• Develop post-crisis marketing
and publicity plans to aid in
business and revenue recovery
34
2.4 Partnering
Your Community
Terror attacks aim to destroy the trust that binds us together, driving colleagues,
stakeholders, organisations and communities apart, reducing our ability to
function as a society. Every hotel relies on a community to support on-going
operations, so it is essential to form and maintain strong bonds by strengthening
internal and external communication channels. By improving the coordination
DQGȵRZRILQIRUPDWLRQSHRSOHPD\UHVSRQGPRUHTXLFNO\DQGGHFLVLYHO\GXULQJ
a crisis, minimising unrest and disorder.
Non-Security Operations
Senior Management
Hotel Administration
General Communications
Alert employees and stakeholders on where to go for accurate
and up-to-date information during and after crises
Work with non-security operations to create, maintain and
regularly update a contacts list of contractors, suppliers and
business partners who can support business operations during
a crisis
Emergency Communications
Create and maintain an authoritative source of hotel
information and provide constant updates on the crisis
VLWXDWLRQ WKURXJK \RXU KRWHOȇV RɝFLDO VRFLDO PHGLD FKDQQHOV
and website
$SSRLQWDVSRNHVSHUVRQWRPDQDJHPHGLDUHODWLRQVHHFWLYHO\
and consider supporting them by registering them for crisis
communications courses
Engage the telecommunication providers in Singapore to
develop restoration procedures in the event of a disruption to
communication services
Security Personnel
Senior Management
Security Personnel
Emergency Communications
Set up a Crisis Command Centre to control, monitor and
coordinate your hotel’s response to a crisis
Set up a Crisis Response Team (CRT) ZLWKSHRSOHIURPGLHUHQW
departments
6KRXOG\RXGHVLJQDWHWKH&(57DVWKH&57SURYLGHEULHȴQJ
and training on their expanded roles
You may use the template on the SGSecure@Workplaces
website to do so
Scan QR code to
visit the SGSecure@
Workplaces website
Non-Security Operations
Hotel Administration
General Communications
Where permissible, organise face to face or virtual team-
building activities to encourage and motivate employees
(e.g. themed online meetings where employees can participate
actively)
Illustrated Summary:
Partnering Your Community
Security Personnel
• Work with senior
New management to test, refine
Security
ecurity and improve security plans
Plan
• Join the SSWG* to network
with neighbouring
buildings, pool resources
and learn about safety and
security best practices
• Set up a Crisis Command
Centre with a dedicated
CRT#
Non-Security Operations
• Create and participate in activities to
befriend and support one another
• Get to know employees in other job
areas like security or administration
• Identify alternative suppliers for the
hotel’s F&B and amenity needs
• Consider having a department
based platform to directly
communicate with, or raise security
concerns to higher management
* #
Safety and Security Watch Group Crisis Response Team
39
Hotel Administration
• Prepare a list of key contacts
(e.g. contractors, suppliers and
business partners) to support post-
crisis operations
• Establish procedures to restore
communications in crises for both
employees and hotel guests
• Establish an official online presence
to disseminate information and
correct rumours
• Communicate regularly with
employees and act promptly on
feedback
Senior Management
• Work with neighbouring
hotels to room guests
affected by crises
• Promote a vibrant, united
company culture
• Implement grievance
handling procedures
40
41
3 Responding
to Threats
Measures and Immediate Actions
to Handle Crises
The following section showcases innovative measures used by local
hotels to address terror threats. Given the unique aspects and
circumstances of each hotel, many of these have been developed to
DGGUHVVVSHFLȴFDVSHFWVRIWKHKRWHOVȇFLUFXPVWDQFHVHJEXLOGLQJ
architecture or manpower).
The hotels below have found creative ways to balance between enhancing security,
satisfying guests’ needs, and maintaining a hospitable image.
Hotel Statistics
202 120
Rooms Full-time Employees
Their Challenges
Their Measures
Hotel Statistics
420 240 20
Rooms Full-time Part-time
Employees Employees
Their Challenges
Their Measures
Their Challenges
Their Measures
Security Personnel
Cyber Attacks
Your hotel may use digital and cloud services to facilitate operations, such as online
booking systems, loyalty programmes, cashless POS systems and more. You can
prevent these from being exploited through implementing strong cyber security
measures and establishing a response plan to handle cyber attacks.
Scan QR code to
read more
Phishing
This refers to emails or messages that appear to come from a reputable
source, such as banks. The goal of such emails is to obtain security
credentials or personal data from users. For example, attackers could
use spoofed email accounts to impersonate a hotel’s CEO, business
partner or known contact of the victim to request data from him or her.
Hotel Administration
6FDQ45FRGHWRȴOOLQWKH
SingCERT’s Cyber Incident
Reporting Form
This section will explain how you can stay in touch with your stakeholders and
suppliers during times of emergency. You will also learn how you can provide
psychological support to employees and hotel guests.
Senior Management
Security Personnel
Hotel Administration
5 Resources &
Recommendations
58
Possible Signs
Below are some possible signs to look out for, and the list is not
exhaustive. These include:
Avid reading of radical materials
Spreading and reposting terrorism-related pictures, videos and posts online
Expressing support for terror groups
Stating intentions to commit terrorist violence, or encouraging others to do so
ΖQWKHQH[WVHFWLRQ\RXZLOOȴQGPRUHFRPSUHKHQVLYHWLSVWRLGHQWLI\WHUURU
threats grouped according to key hotel roles.
60
Blankets or tarps
covering large items Person repeatedly driving
around the hotel, or driving
by on different occasions
Educational Resources
Utilise MOM bulletins, Utilise other SGSecure
case studies, e-learning UHVRXUFHVYLGHRV
modules, brochures, contingency planning
videos, posters, checklists, posters, and
templates, and other apps
materials, to prepare
your workforce, protect
your workplace and
partner your community
67
Posters to Display
*
7RȴQGRXWWKHTXDOLI\LQJFULWHULDDQGSHUFHQWDJHRIIHHVXEVLGLHVUHIHUWRWKHRɝFLDOZHEVLWHIRU
UHJXODUXSGDWHV
SkillsFuture Framework
This is a range of courses that have been designed
to sensitise non-security employees or upgrade the skills of
security employees. These courses address gaps in particular
DUHDVVXFKDVUHFRJQLVLQJWHUURULVWWKUHDWV
Skills Framework for Security
6LQJDSRUH:RUNIRUFH6NLOOV4XDOLȴFDWLRQ:64
This is a national credential system that trains, develops
DQG FHUWLȴHV VNLOOV DQG FRPSHWHQFLHV ZKLFK DUH YDOLGDWHG E\
employers, unions and professional bodies.
Non-Security Operations
Pre-Crisis Support
Ministry of Manpower
To register SGSecure reps, and learn how to implement SGSecure at your
hotel workplace, visit: www.mom.gov.sg/sgsecure
Tel: 6438 5122
Email: sgsecure_workplaces@mom.gov.sg
Scan QR code
for more information
Emergency Contacts
Singapore Police Force
Hotline: 999
SMS: 71999
Post-Crisis Support
SINDA
Website: www.sinda.org.sg
Tel: 1800 295 3333
Website: www.mom.gov.sg/sgsecure
Email: sgsecure_workplaces@mom.gov.sg