Hospitality Portfolio Pre-Investment Digital Risk Assessment

Bottom Line Up Front

Three Moroccan hospitality assets are evaluated for acquisition: a riad in the Fez medina, a riad-hotel in the Marrakech medina, and a boutique hotel in Casablanca's Gauthier district. Each sits inside a local environment where consumer-grade equipment, weak wireless controls, and informal infrastructure practices create a materially elevated baseline risk. The portfolio remains investable, but digital infrastructure must sit inside diligence, not after closing.

Three risks dominate the transaction stage: inherited technical exposure, brand impersonation during transition, and compliance burden visible only at integration. Fez and Marrakech carry the stronger combined exposure picture; Casablanca offers a better baseline, not a clean one.

Methodology

Public-source enumeration via Shodan and Censys for internet-facing surveillance exposure. Passive Wi-Fi proximity survey (WiGLE methodology) in each district. Regulatory review against Moroccan Loi 09-08 and Loi 05-20. Short, time-bounded field visits informed by thirteen years of recurring presence in the country. ICD-203 estimative-language conventions throughout. No penetration testing, authenticated scanning, or asset-level validation.

Key Findings

• Fez (medina riad). District wireless baseline ~3,200 BSSIDs, ~70% WPS-enabled, 0% Wi-Fi 6E. Dense medina conditions and Arcadyan/Maroc Telecom hardware dominance increase the likelihood of fragile, convenience-led setups at property level.
• Marrakech (medina riad-hotel). ~2,900 BSSIDs, ~64% WPS-enabled, limited signs of partial hardware refresh (~13% TP-Link aftermarket). Acquisition risk here is false reassurance: polished commercial appearance over improvised technical base.
• Casablanca (Gauthier boutique hotel). ~1,500 BSSIDs, ~45% WPS, ~40% 5 GHz dual-band, broader vendor mix. Strongest baseline of the three, but probable clientele sensitivity raises the cost of being wrong at property level.
• Threat scenarios. Four mapped to the acquisition lifecycle: inherited technical debt, duplicate-listing fraud during rebrand, staff-channel leakage via unmanaged messaging, compliance exposure surfaced at group integration.

What This Brief Does and Does Not Claim

The brief is illustrative. Client, properties, and quantitative indicators are constructed for demonstration; the methodology, analytic standard, and reasoning reflect how a real engagement of this type would be conducted. Evidence is strongest at city and district level. Property-level claims about internal topology, segmentation, or credential hygiene are explicitly out of scope and would require site access. Confidence: HIGH on environmental patterns, MEDIUM on compromise plausibility at individual properties.

The full report (v5.0, 14 pp) includes district-level wireless baselines, four threat scenarios mapped to the acquisition lifecycle, confidence-tagged judgements, five transaction decision points, pre-acquisition and 90-day action sets, and a risk matrix designed for non-technical decision-makers.