There are two types of victims: Those with something of value and those who are easy targets.
Very soon, those who run Windows XP will fall into the latter category.
Those organizations which still cling to Windows XP and fail to migrate to a more modern operating system by April 2014 will find themselves being circled by packs of cyber-wolves looking for easy prey. At that time Microsoft will cease to provide any new security updates or fixes for Windows XP and instead focus on providing support to newer operating systems. This will leave legacy users, who choose not to upgrade, out in the cold.
Each passing day, the risk of compromise will grow. This is just the natural state of security. Vulnerabilities are found, exploits are developed, attacks are launched, and defenders respond with fixes to plug the holes. Normally such patches, updates, and fixes are rushed into production based upon the risks and needs of the users. It creates a natural balance between attackers and defenders. But once an application or product vendor ceases to play this game, the attackers rapidly gain the advantage, to the detriment of users.
After April 2014, new vulnerabilities discovered in the Microsoft OS family will continued to be fixed for modern OS’s but venerable XP will be left behind without any such attention. This is the most opportune point in which attackers can run amok.
Don’t blame Microsoft. They support their products for a long time and must manage resources to effectively protect their current offerings. It is no easy task. Support of legacy software is time consuming and eventually can drag down any operation with diminishing returns. Microsoft has been a good citizen by communicating the risks.
My advice to XP users, upgrade if you can. If not, be prepared with other compensating controls which will protect your vulnerable systems. Consider a layered defense on the network and hosts. For makers of embedded-system appliances, such as machinery, kiosks, and other System-On-a-Chip (SOC) devices, inform your customer base of the risks. They may not understand the significance of security patching cessation as it relates to their Service Level Agreement (SLA).