I think that is a dangerous statement.
They can use the best protocols, but if workers open ransomware emails or leave their PC open for someone without the proper clearance to get a file they shouldn't, they can't work against that.
Those concerns are dangerous for the company, sure, but QA staff rarely have the technical expertise to protect a company against ransomware emails or improper computer access. Company IT is responsible for developing protocols to protect the company against those emails or ensuring company computers/users have controlled access to data (IT can set the computers to automatically lock if not active for x amount of minutes, etc). But those hazards are different from the Food Defense measures that QA and Production personnel would be able to handle or protect against.
Food Defenses is defined in the US as efforts to prevent intentional food contamination by biological, physical, chemical, or radiological hazards that are not reasonably likely to occur in the food supply. I guess one example that comes to mind would be if someone were to maliciously hack to override or bypass electronic door locks to allow unauthorized persons into a building. Your average QA tech is going to be able to add/remove users from the security program controlling those doors, they can review logs to monitor who enters certain areas and question when someone entered somewhere they shouldn't have. But a hack? That's going to rest on your IT department having protocols to monitor for such a breech.
I can say I'm speaking from possibly limited experience, but my digital environments where I've worked to date are not related to Food Defense as defined. It's usually discussed in the Crisis Control program as a matter of business continuity, where a disruption to our computer network would only affect our ability to ship/receive and conduct business, but doesn't pose a significant risk to contamination of product. I did mention other places might have a risk depending on their processes, so it's something that needs to be evaluated individually, but still the responsibility for that security will rest with your IT departments.