First actionable steps for an IT manager to build ecommerce cybersecurity policy

[EvelynL]

I'm the newly appointed IT manager for a small but growing e-commerce company, and I've been tasked with developing our first formal cybersecurity policy. We handle customer payment data, so getting this right is critical. I'm looking to establish foundational cybersecurity best practices beyond just basic password policies. For those who have built a program from the ground up, what were your first actionable steps? How did you effectively implement measures like mandatory multi-factor authentication, regular employee security training, and a clear incident response plan without overwhelming a small team? What free or low-cost tools did you find indispensable for vulnerability scanning and monitoring, and how do you balance security with user convenience to ensure adoption?