Enable two-factor authentication on all your firm's accounts.
That way, if your username and password are compromised, you should still be protected against someone being able to post to your firm's account, or changing the settings on your account.
Do not share the password to your firm's social media accounts. If you give someone your password, they can lock you out.
If you want someone to post to the firm's account, delegate access to them, in a way which you can readily revoke.
If you cannot do this directly through the platform's own systems, you'll need third party software or a service to do this (which comes with its own risks).
Aside from regulatory or ethical rules, think carefully before posting on your firm's behalf.
Does the photo of the office give away information useful to an attacker?
Does the photo of you all at an awayday or retreat suggest that your premises are unoccupied?
Being careful what you post: do you really want to announce when you are away?
Once something is posted online, you lose control of it. You cannot stop someone taking a screenshot and circulating it, and you cannot rule out a system caching everything.
You may be comfortable with this, but still not want an everlasting history of posts to be showing on your account.