As a small company with good policies in place the risk is indeed a lot less. Do remember though, most of the risks do not come in outside to inside (which usually is firewalled the best) but from inside to outside, either trough employees falling for phishing campaigns which might or might not be tailor made for your company (with 10 employees its more common to get caught by generic phishing than by tailor made campaigns), employees browsing on infected websites or USB sticks.
How they know you run XP, the same way how stuff like Netmarketshare does, webnanalytics combined with honeypots and stuff. Every online request (be it to open a webpage, load a banner inside that webpagde etc) trough TCP headers / cookies and what not gives the other side information about OS / Browser used and sometimes alot more, if your company is interesting enough that ppl want to know what kind of OS you run internally, they will find out one way or anohter. The question is though, is your company interesting enough for them to go trough hoops to make the effort to try to steal your information.
Best practices for Windows XP formulated here are atleast:
1. Don't run it
2. When one is not possible: Run it on a (virtual)machine without Networking hardware and / or USB ports.
3. When 2 is not possible: Run them in a non internet enabled vlan that cannot initiate any traffic to internet or other internal networks.
4. If none of those are met or cannot be met, you are considered not safe
Also how do you check backups, alot of the companies i mentioned do run backups, and think they check them, their check is only to check daily if the backup has ran, However is not a safe check. Atleast every few months you need to simulate a disaster recovery in a test enviroment to make sure that the backups you make also work should they ever be needed. It's advised to do smaller recovery (lets say a test recovery of a couple of 100 random data files) on a weekly basis. Alot of companies forget this though, and in my 12 years in IT i have now withnesses atleast 10 companies loose alot or even all their data due to their backups being compromised when they needed them after a disaster and the backup chains being corrupt and not readable.
I know netmarketshare, sadly the fun stuff (geo filters and stuff) costs money
so not able to make good analysis there where for example China is excluded and you only look al Northern America and Europe for example.
Windows 8.1 more popular then XP does not feel weird to me at all btw, Nearly all our business customers skipped 8(.1) and are still on 7 or migrated directly to 10. Alot of work in coming in soon though, because all the companies that want to keep important IT security certifications will need to be migrated off 7 before Support ends in 2020, it might seem a lot of time, but in practise its not. Not looking forward to those projects after all the Win XP to 7 projects and the headaches that came with those.